CVE-2019-11213 — HIGH (8.1)

Q: How severe is CVE-2019-11213?

CVE-2019-11213 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-11213?

Check the references section above for vendor advisories and patch information. Affected products include: Ivanti Connect Secure, Pulsesecure Pulse Connect Secure, Pulsesecure Pulse Secure Desktop Client.

Vulnerability Description

In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related issue to CVE-2019-1573. (The endpoint would need to be already compromised for exploitation to succeed.) This affects Pulse Desktop Client 5.x before Secure Desktop 5.3R7 and Pulse Desktop Client 9.x before Secure Desktop 9.0R3. It also affects (for Network Connect customers) Pulse Connect Secure 8.1 before 8.1R14, 8.3 before 8.3R7, and 9.0 before 9.0R3.

CVSS Score

8.1

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Ivanti	Connect Secure	>= 9.0r1, < 9.0r3
Pulsesecure	Pulse Connect Secure	>= 8.1r1.0, <= 8.1r14.0
Pulsesecure	Pulse Secure Desktop Client	>= 5.0r1.0, < 5.3r7

Related Weaknesses (CWE)

CWE-384

References

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44114Vendor Advisory
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44114/Vendor Advisory
https://www.kb.cert.org/vuls/id/192371Third Party AdvisoryUS Government Resource
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44114Vendor Advisory
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44114/Vendor Advisory
https://www.kb.cert.org/vuls/id/192371Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2019-11213?

CVE-2019-11213 is a vulnerability with a CVSS score of 8.1 (HIGH). In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related issu...

How severe is CVE-2019-11213?

CVE-2019-11213 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-11213?

Check the references section above for vendor advisories and patch information. Affected products include: Ivanti Connect Secure, Pulsesecure Pulse Connect Secure, Pulsesecure Pulse Secure Desktop Client.