CVE-2019-11510
Published: 08 May 2019
Summary
CVE-2019-11510 is a critical-severity Path Traversal (CWE-22) vulnerability in Ivanti Connect Secure. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-11510 is a path traversal vulnerability (CWE-22) affecting Pulse Secure Pulse Connect Secure (PCS) versions 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4. It allows an unauthenticated remote attacker to read arbitrary files on the affected appliance by submitting a specially crafted URI, and carries a CVSS 3.1 base score of 10.0 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An attacker with network access can exploit the flaw to retrieve sensitive files such as configuration data or credentials stored on the VPN appliance. Successful file disclosure can expose session tokens, private keys, and other material that enables further compromise of the device and connected networks.
Public references document working proof-of-concept exploits, an Nmap NSE script for mass scanning, and reports of more than 14,500 exposed endpoints remaining vulnerable months after disclosure. Advisories and vendor guidance direct administrators to apply the fixed releases (8.2R12.1, 8.3R7.1, or 9.0R3.4) to eliminate the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-3183
Vulnerability details
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patches (8.2R12.1, 8.3R7.1, 9.0R3.4) that eliminate the path-traversal flaw.
Mandates input validation on URIs and path parameters to block the crafted requests that enable arbitrary file reads.
Enforces access-control policy so that unauthenticated remote actors cannot read arbitrary files regardless of URI manipulation.