CVE-2022-21826
Published: 30 September 2022
Summary
CVE-2022-21826 is a medium-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Ivanti Connect Secure. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Pulse Secure versions 9.115 and below are affected by a client-side HTTP request smuggling vulnerability tracked as CVE-2022-21826. The flaw occurs because the application ignores the Content-Length header on incoming POST requests and leaves the request body on the TCP/TLS socket, allowing that body to prefix the next HTTP request sent over the same connection and enabling a cross-site scripting outcome.
An attacker who can induce a victim's browser to issue a crafted POST request to the Pulse Secure instance can exploit the desynchronization to inject arbitrary content into subsequent requests made by that browser, achieving reflected XSS with limited impact on confidentiality and integrity.
Public advisories from Pulse Secure describe the issue as a client-side desync attack and are available at the referenced knowledge-base articles for affected customers.
The associated EPSS score reached a peak of 0.0884 after disclosure before settling at the current value of 0.0590.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-26985
Vulnerability details
Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up…
more
prefixing the next HTTP request sent down that connection, this means when someone loads website attacker may be able to make browser issue a POST to the application, enabling XSS.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.