Pulse One On-Premise software version 2.0.1649 does not properly validate requests which allows remote users to query and obtain sensitive information. This issue is exploitable only for Pulse One On-Premise (runs only on PSA7000 devices). For more information about Pulse One On-Premise, please refer to KB40560 - Pulse One On-Premise Frequently Asked Questions (FAQ)
PSIRT is not aware of any malicious exploitation of this vulnerability. This issue was found during proactive internal security audits.
This issue was assigned CVE-2017-14935.
All other Pulse Secure products are not vulnerable to this issue:
- Pulse Connect Secure
- Pulse Policy Secure
- All Pulse clients (Network Connect, Pulse Secure Desktop, Secure Application Manager, etc)
- Pulse Workspace
- Pulse One cloud solution (hosted by Pulse Secure)
- Pulse Secure vADC
- Virtual Appliances (VA-DTE & VA-SPE)