Multiple Pulse Secure products utilizing SAML implementation could allow an attacker with an authenticated access to a SAML Identity Provider (IdP) to bypass authentication for a different user. The cause is due to an inconsistency of XML DOM traversal APIs and handling of comment nodes.
CVE have been requested and will be updated in the future.
All Pulse Secure products were evaluated and the following products are known to be vulnerable by this issue:
- All supported versions of Pulse Connect Secure with SAML authentication server configured as Service Provider
- Pulse WorkSpace with SAML enabled
- Pulse One with Enterprise (SAML) SSO enabled on the admin login
- vTM 17.4 (Only) with a virtual server configured for SAML authentication.
Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities?
per our End of Engineering (EOE) and End of Life (EOL) policies.
All other Pulse Secure products (not listed above) were determined as not vulnerable.