Reset Search



KB45487 - Client-Side Desync Attack Informational Article

« Go Back


Last Modified Date9/28/2022 3:02 AM
This article provides information mitigations to address a vulnerability that affects the Pulse Collaboration feature in Pulse Connect Secure version 9.1R15 and below.
Problem or Goal
As described in SA45476 - Client Side Desync Attack (Informational), Portswigger has provided a responsible disclosure of a vulnerability that affects the Pulse Collaboration feature. See for details.


Pulse Secure was aware of this article, and after an initial evaluation we classified this as a product defect rather than a security issue and treated it as such. After receiving questions from customers we have conducted further investigations and have now changed our position. We have now requested CVE-2022-21826 with CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Score 3.7 (Low).

As the Portswigger article makes clear, it would be extremely complex to exploit this vulnerability in a real world situation.


The Pulse Collaboration feature that is the target of this attack is not available in any releases post 9.1R16.
If you are running versions 9.1R15 or lower, the immediate remediation is to upgrade to version 9.1R16 or above.

Related Links
Attachment 1 
Created BySean Parker



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255