CVE-2022-21826

EPSS 45.2%CWE-444

In short

Pulse Secure versions 9.115 and below ignore the Content-Length header in POST requests, leaving leftover data on the connection that gets prepended to the next HTTP request. An attacker can exploit this to inject malicious content into a subsequent request, potentially leading to XSS attacks in a user's browser.

Technical detail

HTTP request smuggling vulnerability in Pulse Secure ≤9.115 caused by improper handling of Content-Length headers in POST requests, allowing attacker-controlled data to persist on the TLS socket and prefix subsequent requests. Attack vector requires victim to visit attacker-controlled website that triggers a cross-origin POST, with impact of potential XSS execution in the victim's browser context.

Summary generated and translated by AI from the official description.

Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up prefixing the next HTTP request sent down that connection, this means when someone loads website attacker may be able to make browser issue a POST to the application, enabling XSS.

Affected products

n/a · Pulse Connect Secure VPN Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Client-Side-Desync-Attack/