CVE-2021-31922: 
Ivanti Virtual Traffic Manager vulnerability analysis and mitigation

An HTTP Request Smuggling vulnerability was discovered in Pulse Secure Virtual Traffic Manager before version 21.1. The vulnerability allows an attacker to smuggle an HTTP request through an HTTP/2 Header when the equipment is configured to support HTTP/2. This vulnerability was assigned CVE-2021-31922 and affects Virtual Traffic Manager versions 18.x before 18.2R3, 19.x before 19.2R4, 20.x before 20.3R1, 20.2R1 and 20.1R2, and 21.x before 21.1 (MITRE CVE, CERT-FR).

The vulnerability is related to HTTP/2 header handling in the Virtual Traffic Manager. When the equipment is configured to support HTTP/2, an attacker can exploit this vulnerability to perform HTTP request smuggling attacks. The issue was addressed in multiple version releases including 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3 (MITRE CVE).

The vulnerability could allow attackers to bypass security policies when the equipment is configured to support HTTP/2. This could potentially lead to unauthorized access or manipulation of HTTP requests (CERT-FR).

The vulnerability has been fixed in multiple version releases. Users are advised to upgrade to version 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, or 18.2R3 depending on their current version track (MITRE CVE).