CVE-2019-11510
Summary
| CVE | CVE-2019-11510 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-05-08 17:29:00 UTC |
| Updated | 2024-01-13 18:36:00 UTC |
| Description | In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . |
Risk And Classification
EPSS: 0.944140000 probability, percentile 0.999800000 (date 2026-04-02)
CISA KEV: Listed on 2021-11-03; due 2022-05-03; ransomware use Known
Problem Types: CWE-22
CISA Known Exploited Vulnerability
| Vendor | Ivanti |
|---|---|
| Product | Pulse Connect Secure |
| Name | Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | Reference CISA's ED 21-03 (https://www.cisa.gov/news-events/directives/ed-21-03-mitigate-pulse-connect-secure-product-vulnerabilities) for further guidance and requirements. Note: The due date for addressing this vulnerability aligns with the requirements outlined in ED 21-03. https://nvd.nist.gov/vuln/detail/CVE-2019-11510 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ivanti | Connect Secure | 9.0 | r1 | All | All |
| Application | Ivanti | Connect Secure | 9.0 | r2 | All | All |
| Application | Ivanti | Connect Secure | 9.0 | r2.1 | All | All |
| Application | Ivanti | Connect Secure | 9.0 | r3 | All | All |
| Application | Ivanti | Connect Secure | 9.0 | r3.1 | All | All |
| Application | Ivanti | Connect Secure | 9.0 | r3.2 | All | All |
| Application | Ivanti | Connect Secure | 9.0 | r3.3 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r1.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r1.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r10.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r11.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r12.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r2.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r3.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r3.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r4.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r4.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r5.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r5.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r6.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r7.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r7.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r8.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r8.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r8.2 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r9.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r2 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r2.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r3 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r4 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r5 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r5.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r5.2 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r6 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r6.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r7 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r2 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r2.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r3 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r3.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r3.2 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r3.3 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r1.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r1.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r10.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r11.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r12.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r2.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r3.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r3.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r4.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r4.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r5.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r5.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r6.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r7.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r7.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r8.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r8.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r8.2 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.2 | r9.0 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r2 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r2.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r3 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r4 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r5 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r5.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r5.2 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r6 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r6.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 8.3 | r7 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r2 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r2.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r3 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r3.1 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r3.2 | All | All |
| Application | Pulsesecure | Pulse Connect Secure | 9.0 | r3.3 | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pulse Secure SSL VPN 8.1R15.1 / 8.2 / 8.3 / 9.0 Arbitrary File Disclosure ≈ Packet Storm | MISC | packetstormsecurity.com | Third Party Advisory, VDB Entry |
| VU#927237 - Multiple vulnerabilities in Pulse Secure VPN | CERT-VN | www.kb.cert.org | |
| Over 14,500 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510 – Bad Packets | MISC | badpackets.net | Third Party Advisory |
| Pulse Connect Secure and Pulse Policy Secure Multiple Security Vulnerabilities | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Pulse Secure SSL VPN File Disclosure NSE ≈ Packet Storm | MISC | packetstormsecurity.com | Third Party Advisory, VDB Entry |
| Public KB - SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX | CONFIRM | kb.pulsesecure.net | Patch, Vendor Advisory |
| Attacking SSL VPN - Part 3: The Golden Pulse Secure SSL VPN RCE Chain, with Twitter as Case Study! | DEVCORE | MISC | devco.re | Third Party Advisory |
| Public KB - Home | MISC | kb.pulsesecure.net | Vendor Advisory |
| i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-L... | MISC | i.blackhat.com | Third Party Advisory |
| Security Advisory | CONFIRM | psirt.global.sonicwall.com | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.