Cyber Resilience

CVE-2022-21826

Medium

Published: 30 September 2022

Published
30 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0590 90.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21826 is a medium-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Ivanti Connect Secure. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Pulse Secure versions 9.115 and below are affected by a client-side HTTP request smuggling vulnerability tracked as CVE-2022-21826. The flaw occurs because the application ignores the Content-Length header on incoming POST requests and leaves the request body on the TCP/TLS socket, allowing that body to prefix the next HTTP request sent over the same connection and enabling a cross-site scripting outcome.

An attacker who can induce a victim's browser to issue a crafted POST request to the Pulse Secure instance can exploit the desynchronization to inject arbitrary content into subsequent requests made by that browser, achieving reflected XSS with limited impact on confidentiality and integrity.

Public advisories from Pulse Secure describe the issue as a client-side desync attack and are available at the referenced knowledge-base articles for affected customers.

The associated EPSS score reached a peak of 0.0884 after disclosure before settling at the current value of 0.0590.

EU & UK References

Vulnerability details

Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up…

more

prefixing the next HTTP request sent down that connection, this means when someone loads website attacker may be able to make browser issue a POST to the application, enabling XSS.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
9.1
pulsesecure
pulse connect secure
≤ 9.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References