KB45013 - CVE-2022-23852 - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

A vulnerability has been reported on the 23rd of Jan 2022 under https://nvd.nist.gov/vuln/detail/CVE-2022-23852

Description - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

Related link: https://access.redhat.com/security/cve/cve-2022-23852

Ivanti Pulse Engineering teams are aware of these vulnerabilities and we will keep this KB updated, .  Product CVSS Score / Exploitability if Applicable Impact Fix Pulse Secure Virtual Traffic Manager   Affected vTM 22.1 (April 2022) Pulse Secure Services Director CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Pulse Secure Services Director is potentially vulnerable, however, is only accessible to users with admin level privileges. The attack vector is highly complex and requires admin level privileges so exploitability factor is low. Affected TBD Pulse Secure Web Application Firewall CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Some configuration management features are potentially vulnerable however these features are only accessible to users with admin level privileges. The attack vector is highly complex and requires admin level privileges so exploitability factor is low. Affected To be Bundled with vTM 22.1 (Tentative for April, 2022)   Pulse Connect Secure CVSS Score 7.5 CVSS3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H For this to be successfully exploited on the PCS Server, an authenticated user session between Client and Server is required.  This makes the attack vector highly complex and exploitability factor medium to low. Affected 9.1R15 (Tentative for April, 2022) Ivanti Connect Secure (ICS) CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H For this to be successfully exploited on the PCS Server, an authenticated user session between Client and Server is required. This makes the attack vector highly complex and exploitability factor medium to low. Affected 22.3 (Tentative for April, 2022) Pulse Policy Secure N/A Not Affected   Pulse Desktop Client CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H For the exploit to succeed on the endpoint target, it requires an authenticated user session between Client and Server and the Server to be in compromised state. This makes the attack vector highly complex and exploitability factor medium to low. Affected Pulse 9.1R15 (Tentative for April, 2022) Pulse Mobile Client N/A Not Affected   Pulse One N/A Not Exploitable*   Ivanti Neurons for ZTA N/A Not Vulnerable**   Ivanti Neurons for secure Access N/A Not Vulnerable**

* When package/Library is present but not used.
** When package/Library is present and used but it does not have the connectors (Prerequisites) to be vulnerable.