CVE-2020-8255

high-risk

Published 2020-10-28

A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary file reading vulnerability is fixed using encrypted URL blacklisting that prevents these messages.

Do I need to act?

!

13.5% chance of exploitation in next 30 days

EPSS score — higher than 87% of all CVEs

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

4

CVSS 4.9/10 Medium

NETWORK / LOW complexity

Affected Products (15)

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Affected Vendors

Pulsesecure

References (2)

Vendor Advisory https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601

Vendor Advisory https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601

50

/ 100

high-risk

Severity 20/34 · Moderate

Exploitability 12/34 · Low

Exposure 18/34 · Moderate