Pulse Secure Pulse Connect Secure (PCS) Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) Vulnerability
An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced.
The information has been provided by Vendor
The original article can be found at:https://git.lsd.cat/g/pulse-host-checker-rce
Allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shell metacharacters to the doCustomRemediateInstructions method, because Runtime.getRuntime().exec() is used.
Pulse Secure Pulse Connect Secure (PCS)