Skip to main content

Pulse Secure Desktop Client CVE-2020-13162

HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2020-06-16 cve@mitre.org
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 16, 2020 - 20:15 nvd
HIGH 7.0

DescriptionNVD

A time-of-check time-of-use vulnerability in PulseSecureService.exe in Pulse Secure Client versions prior to 9.1.6 down to 5.3 R70 for Windows (which runs as NT AUTHORITY/SYSTEM) allows unprivileged users to run a Microsoft Installer executable with elevated privileges.

AnalysisAI

A time-of-check time-of-use vulnerability in PulseSecureService.exe in Pulse Secure Client versions prior to 9.1.6 down to 5.3 R70 for Windows (which runs as NT AUTHORITY/SYSTEM) allows unprivileged. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-367. A time-of-check time-of-use vulnerability in PulseSecureService.exe in Pulse Secure Client versions prior to 9.1.6 down to 5.3 R70 for Windows (which runs as NT AUTHORITY/SYSTEM) allows unprivileged users to run a Microsoft Installer executable with elevated privileges. Affected products include: Pulsesecure Pulse Secure Desktop Client, Pulsesecure Pulse Secure Installer Service. Version information: prior to 9.1.6.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2020-8239 CRITICAL
9.8 Oct 28

A vulnerability in the Pulse Secure Desktop Client < 9.1R9 is vulnerable to the client registry privilege escalation att

CVE-2018-11002 MEDIUM POC
5.5 Nov 29

Pulse Secure Desktop Client 5.3 up to and including R6.0 build 1769 on Windows has Insecure Permissions. Rated medium se

CVE-2020-8254 HIGH
8.8 Oct 28

A vulnerability in the Pulse Secure Desktop Client < 9.1R9 has Remote Code Execution (RCE) if users can be convinced to

CVE-2019-11213 HIGH
8.1 Apr 12

In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof se

CVE-2020-8250 HIGH
7.8 Oct 28

A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege. Ra

CVE-2020-8249 HIGH
7.8 Oct 28

A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to perform buffer overflo

CVE-2020-8248 HIGH
7.8 Oct 28

A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege. Ra

CVE-2020-8240 HIGH
7.8 Oct 28

A vulnerability in the Pulse Secure Desktop Client < 9.1R9 allows a restricted user on an endpoint machine can use syste

CVE-2018-15865 HIGH
7.8 Sep 06

The Pulse Secure Desktop (macOS) has a Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerab

CVE-2020-8241 HIGH
7.5 Oct 28

A vulnerability in the Pulse Secure Desktop Client < 9.1R9 could allow the attacker to perform a MITM Attack if end user

CVE-2018-16261 MEDIUM
6.8 Sep 06

In Pulse Secure Pulse Desktop Client 5.3RX before 5.3R5 and 9.0R1, there is a Privilege Escalation Vulnerability with Dy

CVE-2018-15749 MEDIUM
5.5 Sep 06

The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Format String Vulnerability. Rated medium severity (

Share

CVE-2020-13162 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy