What is CVE-2021-22908?

CVE-2021-22908 is a vulnerability in Pulse Connect Secure, classified under Buffer Copy without Checking Size of Input (Classic Buffer Overflow). Published 2021-05-27.

Is CVE-2021-22908 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Buffer overflow in Pulse Connect Secure

CVE-2021-22908

A buffer overflow vulnerability exists in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. As of version 9.1R3, this permission is not…

Vulnerability class: Buffer Overflow

EPSS: 0.694 (99.3th percentile) — read the EPSS interpretation.

Affected products

N/a Pulse Connect Secure — versions Fixed in 9.1R11.5

Weakness classification (CWE)

CWE-120 — Buffer Copy without Checking Size of Input (Classic Buffer Overflow)

Public proof-of-concept exploits

hktalent/bug-bounty

References

kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800/ (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-22908?: CVE-2021-22908 is a vulnerability in Pulse Connect Secure, classified under Buffer Copy without Checking Size of Input (Classic Buffer Overflow). Published 2021-05-27.
Is CVE-2021-22908 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.