As described in SA45476
- Client Side Desync Attack (Informational), Portswigger has provided a responsible disclosure of a vulnerability that affects the Pulse Collaboration feature. See https://portswigger.net/research/browser-powered-desync-attacks
Pulse Secure was aware of this article, and after an initial evaluation we classified this as a product defect rather than a security issue and treated it as such. After receiving questions from customers we have conducted further investigations and have now changed our position. We have now requested CVE-2022-21826 with CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Score 3.7 (Low).As the Portswigger article makes clear, it would be extremely complex to exploit this vulnerability in a real world situation.