Virtual Private Networks (VPNs) are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. CWE-311: Missing Encryption of Sensitive Data

The following products and versions store the cookie insecurely in log files:

- CVE-2019-1573: Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0

- CVE-2019-11213: Pulse Desktop Client 9.0R2 and earlier and 5.3R6 and earlier; Pulse Connect Secure (for Network Connect customers) 9.0R2 and earlier, 8.3R6 and earlier, and 8.1R13 and earlier



The following products and versions store the cookie insecurely in memory:

- CVE-2019-1573: Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0

- CVE-2019-11213: Pulse Desktop Client 9.0R2 and earlier and 5.3R6 and earlier; Pulse Connect Secure (for Network Connect customers) 9.0R2 and earlier, 8.3R6 and earlier, and 8.1R13 and earlier

- Cisco AnyConnect 4.7.x and prior



It is likely that this configuration is generic to additional VPN applications. If you believe that your organization is vulnerable, please contact CERT/CC at cert@cert.org with the affected products, version numbers, patch information, and self-assigned CVE.