Pulse Secure has shipped a fix for a critical post-authentication remote code execution (RCE) vulnerability in its Connect Secure virtual private network (VPN) appliances. The vulnerability is due to a flaw in the way that archive files (.TAR) are extracted in the administrator web interface. NCC Group’s Richard Warren disclosed the vulnerability on Friday. The disclosure comes days after Ivanti, the company behind Pulse Secure, published an advisory for as many as six security vulnerabilities on August 2, urging customers to update to Pulse Connect Secure version 9.1R12.
Source: https://thehackernews.com/2021/08/pulse-secure-vpns-get-new-urgent-update.html