Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-8220

Summary
Assigner-hackerone
Assigner Org ID-36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At-30 Jul, 2020 | 12:53
Updated At-04 Aug, 2024 | 09:56
Rejected At-
Credits

A denial of service vulnerability exists in Pulse Connect Secure <9.1R8 that allows an authenticated attacker to perform command injection via the administrator web which can cause DOS.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:hackerone
Assigner Org ID:36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At:30 Jul, 2020 | 12:53
Updated At:04 Aug, 2024 | 09:56
Rejected At:
▼CVE Numbering Authority (CNA)

A denial of service vulnerability exists in Pulse Connect Secure <9.1R8 that allows an authenticated attacker to perform command injection via the administrator web which can cause DOS.

Affected Products
Vendor
n/a
Product
Pulse Connect Secure
Versions
Affected
  • Fixed in 9.1R8
Problem Types
TypeCWE IDDescription
CWECWE-400Denial of Service (CWE-400)
Type: CWE
CWE ID: CWE-400
Description: Denial of Service (CWE-400)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516
x_refsource_MISC
Hyperlink: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516
x_refsource_MISC
x_transferred
Hyperlink: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:support@hackerone.com
Published At:30 Jul, 2020 | 13:15
Updated At:27 Feb, 2024 | 21:04

A denial of service vulnerability exists in Pulse Connect Secure <9.1R8 that allows an authenticated attacker to perform command injection via the administrator web which can cause DOS.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Primary2.05.5MEDIUM
AV:N/AC:L/Au:S/C:N/I:P/A:P
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Type: Primary
Version: 2.0
Base score: 5.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:N/I:P/A:P
CPE Matches
Ivanti Software
ivanti
>>connect_secure>>9.1
cpe:2.3:a:ivanti:connect_secure:9.1:-:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>9.1
cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>9.1
cpe:2.3:a:ivanti:connect_secure:9.1:r2:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>9.1
cpe:2.3:a:ivanti:connect_secure:9.1:r3:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>9.1
cpe:2.3:a:ivanti:connect_secure:9.1:r4:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>9.1
cpe:2.3:a:ivanti:connect_secure:9.1:r4.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>9.1
cpe:2.3:a:ivanti:connect_secure:9.1:r4.2:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>9.1
cpe:2.3:a:ivanti:connect_secure:9.1:r4.3:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>9.1
cpe:2.3:a:ivanti:connect_secure:9.1:r5:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>9.1
cpe:2.3:a:ivanti:connect_secure:9.1:r6:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>9.1
cpe:2.3:a:ivanti:connect_secure:9.1:r7:*:*:*:*:*:*
Pulse Secure
pulsesecure
>>pulse_connect_secure>>Versions up to 9.0(inclusive)
cpe:2.3:a:pulsesecure:pulse_connect_secure:*:*:*:*:*:*:*:*
Ivanti Software
ivanti
>>policy_secure>>9.1
cpe:2.3:a:ivanti:policy_secure:9.1:-:*:*:*:*:*:*
Ivanti Software
ivanti
>>policy_secure>>9.1
cpe:2.3:a:ivanti:policy_secure:9.1:r1:*:*:*:*:*:*
Ivanti Software
ivanti
>>policy_secure>>9.1
cpe:2.3:a:ivanti:policy_secure:9.1:r2:*:*:*:*:*:*
Ivanti Software
ivanti
>>policy_secure>>9.1
cpe:2.3:a:ivanti:policy_secure:9.1:r3:*:*:*:*:*:*
Ivanti Software
ivanti
>>policy_secure>>9.1
cpe:2.3:a:ivanti:policy_secure:9.1:r3.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>policy_secure>>9.1
cpe:2.3:a:ivanti:policy_secure:9.1:r4:*:*:*:*:*:*
Ivanti Software
ivanti
>>policy_secure>>9.1
cpe:2.3:a:ivanti:policy_secure:9.1:r4.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>policy_secure>>9.1
cpe:2.3:a:ivanti:policy_secure:9.1:r4.2:*:*:*:*:*:*
Ivanti Software
ivanti
>>policy_secure>>9.1
cpe:2.3:a:ivanti:policy_secure:9.1:r5:*:*:*:*:*:*
Ivanti Software
ivanti
>>policy_secure>>9.1
cpe:2.3:a:ivanti:policy_secure:9.1:r6:*:*:*:*:*:*
Ivanti Software
ivanti
>>policy_secure>>9.1
cpe:2.3:a:ivanti:policy_secure:9.1:r7:*:*:*:*:*:*
Pulse Secure
pulsesecure
>>pulse_policy_secure>>Versions up to 9.0(inclusive)
cpe:2.3:a:pulsesecure:pulse_policy_secure:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-400Primarynvd@nist.gov
CWE-400Secondarysupport@hackerone.com
CWE ID: CWE-400
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-400
Type: Secondary
Source: support@hackerone.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516support@hackerone.com
Vendor Advisory
Hyperlink: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516
Source: support@hackerone.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

8Records found
CVE-2021-42133
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-3.58% / 87.29%
||
7 Day CHG~0.00%
Published-07 Dec, 2021 | 13:13
Updated-04 Aug, 2024 | 03:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write.

Action-Not Available
Vendor-n/aIvanti Software
Product-avalancheIvanti Avalanche
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2021-22933
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-6.5||MEDIUM
EPSS-6.31% / 90.57%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 18:38
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-pulse_connect_secureconnect_securePulse Connect Secure
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-9379
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-83.79% / 99.25%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 16:23
Updated-30 Jul, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-10-30||As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.

SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_cloud_services_applianceCSA (Cloud Services Appliance)endpoint_manager_cloud_services_applianceCloud Services Appliance (CSA)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-22965
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-11.33% / 93.27%
||
7 Day CHG~0.00%
Published-19 Nov, 2021 | 18:10
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in Pulse Connect Secure before 9.1R12.1 could allow an unauthenticated administrator to causes a denial of service when a malformed request is sent to the device.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-pulse_connect_secureconnect_securePulse Connect Secure
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2019-11478
Matching Score-6
Assigner-Canonical Ltd.
ShareView Details
Matching Score-6
Assigner-Canonical Ltd.
CVSS Score-5.3||MEDIUM
EPSS-25.33% / 95.99%
||
7 Day CHG~0.00%
Published-18 Jun, 2019 | 23:34
Updated-16 Sep, 2024 | 23:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SACK can cause extensive memory use via fragmented resend queue

Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.

Action-Not Available
Vendor-Ivanti SoftwareCanonical Ltd.Linux Kernel Organization, IncPulse SecureF5, Inc.Red Hat, Inc.
Product-ubuntu_linuxbig-ip_webacceleratorpulse_secure_virtual_application_delivery_controllerbig-ip_application_acceleration_managerenterprise_linux_atomic_hostbig-ip_policy_enforcement_managerbig-ip_fraud_protection_serviceenterprise_linuxenterprise_linux_ausbig-ip_global_traffic_managerbig-ip_local_traffic_managerbig-ip_analyticsbig-ip_domain_name_systemconnect_securebig-ip_application_security_managerbig-ip_edge_gatewaylinux_kernelbig-ip_link_controllerenterprise_linux_euspulse_policy_securebig-ip_access_policy_managertraffix_signaling_delivery_controllerenterprise_mrgbig-ip_advanced_firewall_managerLinux kernel
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-35254
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.77% / 72.51%
||
7 Day CHG~0.00%
Published-05 Dec, 2022 | 00:00
Updated-24 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.

Action-Not Available
Vendor-n/aIvanti Software
Product-policy_secureconnect_secureneurons_for_zero-trust_accessIvanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Neurons for Zero Trust Access Gateway
CWE ID-CWE-416
Use After Free
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-38043
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-8.8||HIGH
EPSS-0.27% / 50.37%
||
7 Day CHG~0.00%
Published-14 Nov, 2023 | 23:18
Updated-12 Aug, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability exists on all versions of the Ivanti Secure Access Client below 22.6R1.1, which could allow a locally authenticated attacker to exploit a vulnerable configuration, potentially leading to a denial of service (DoS) condition on the user machine and, in some cases, resulting in a full compromise of the system.

Action-Not Available
Vendor-Ivanti SoftwareMicrosoft Corporation
Product-windowssecure_access_clientSecure Access Client Windowssecure_access_client_windows
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2021-38463
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.3||HIGH
EPSS-0.21% / 42.98%
||
7 Day CHG~0.00%
Published-22 Oct, 2021 | 11:23
Updated-17 Sep, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AUVESY Versiondog

The affected product does not properly control the allocation of resources. A user may be able to allocate unlimited memory buffers using API functions.

Action-Not Available
Vendor-auvesyAUVESY
Product-versiondogVersiondog
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
Details not found