Pulse Connect Secure Insecure Cookie Handling (SA44114)

high Nessus Plugin ID 125628

Synopsis

The remote device is affected by an insecure cookie handling flaw.

Description

According to its self-reported version, the version of Pulse Connect Secure running on the remote host is is prior to 8.1R14, 8.3R7, or 9.0R3 and thus, is affected by an error related to handling session cookies that allows an attacker to access session cookies and spoof sessions.

Solution

Upgrade to version 8.1R14, 8.3R7, 9.0R3, or later.

See Also

http://www.nessus.org/u?9b3e709e

Plugin Details

Severity: High

ID: 125628

File Name: pulse_connect_secure-sa-44114.nasl

Version: 1.7

Type: remote

Family: Misc.

Published: 5/31/2019

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-11213

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:pulsesecure:pulse_connect_secure

Required KB Items: installed_sw/Pulse Connect Secure

Exploit Ease: No known exploits are available

Patch Publication Date: 4/11/2019

Vulnerability Publication Date: 4/11/2019

Reference Information

CVE: CVE-2019-11213

CERT: 192371