CVE-2026-0257 (GCVE-0-2026-0257)
Vulnerability from – Published: 2026-05-13 18:15 – Updated: 2026-05-30 03:55
VLAI
Title
PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities
Summary
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.
Panorama and Cloud NGFW are not impacted by these issues.
Severity
SSVC
Exploitation: active
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-565 - Reliance on Cookies without Validation and Integrity Checking
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://security.paloaltonetworks.com/CVE-2026-0257 | vendor-advisory |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Palo Alto Networks | Cloud NGFW |
Unaffected:
All
(custom)
|
|
| Palo Alto Networks | PAN-OS |
Affected:
12.1.0 , < 12.1.7, 12.1.4-h6
(custom)
Affected: 11.2.0 , < 11.2.12, 11.2.10-h7, 11.2.7-h14, 11.2.4-h17 (custom) Affected: 11.1.0 , < 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33 (custom) Affected: 10.2.0 , < 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34 (custom) cpe:2.3:o:palo_alto_networks:pan-os:12.1.6:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:12.1.5:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:12.1.2:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.11:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.9:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.8:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h12:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h11:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h8:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h15:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h14:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h12:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h11:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h9:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h8:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.14:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.13:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.13:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.13:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.13:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.12:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.11:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h21:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h12:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h9:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h29:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h25:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h23:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h22:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h21:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h20:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h19:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h18:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h17:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h14:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h32:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h27:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h25:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h18:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h17:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h15:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h13:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h12:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h11:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h9:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h8:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.18:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.18:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.18:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.17:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.15:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.14:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h18:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h16:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h15:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h31:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h30:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h27:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h26:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h23:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h21:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h18:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h17:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h14:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h13:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h12:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h11:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h9:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h8:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h32:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h24:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h23:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h22:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h21:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h20:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h19:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h18:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h17:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h16:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h15:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h14:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h13:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h12:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h11:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h9:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h8:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:* |
|
| Palo Alto Networks | Prisma Access |
Affected:
10.2.0 , < 10.2.10-h36
(custom)
Affected: 11.2.0 , < 11.2.7-h13 (custom) |
Date Public
2026-05-13 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0257",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-05-29",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0257"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T03:55:17.629Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0257"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-29T00:00:00.000Z",
"value": "CVE-2026-0257 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:palo_alto_networks:pan-os:12.1.6:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:12.1.5:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:12.1.2:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.11:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.9:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.8:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h12:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h11:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h8:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h15:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h14:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h12:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h11:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h9:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h8:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.14:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.13:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.13:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.13:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.13:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.12:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.11:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h21:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h12:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h9:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h29:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h25:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h23:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h22:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h21:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h20:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h19:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h18:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h17:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h14:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h32:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h27:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h25:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h18:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h17:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h15:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h13:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h12:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h11:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h9:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h8:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.18:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.18:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.18:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.17:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.15:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.14:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h18:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h16:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h15:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h31:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h30:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h27:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h26:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h23:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h21:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h18:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h17:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h14:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h13:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h12:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h11:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h9:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h8:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h32:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h24:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h23:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h22:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h21:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h20:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h19:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h18:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h17:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h16:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h15:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h14:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h13:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h12:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h11:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h9:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h8:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "12.1.7",
"status": "unaffected"
},
{
"at": "12.1.4-h6",
"status": "unaffected"
}
],
"lessThan": "12.1.7, 12.1.4-h6",
"status": "affected",
"version": "12.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.2.12",
"status": "unaffected"
},
{
"at": "11.2.10-h7",
"status": "unaffected"
},
{
"at": "11.2.7-h14",
"status": "unaffected"
},
{
"at": "11.2.4-h17",
"status": "unaffected"
}
],
"lessThan": "11.2.12, 11.2.10-h7, 11.2.7-h14, 11.2.4-h17",
"status": "affected",
"version": "11.2.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.1.15",
"status": "unaffected"
},
{
"at": "11.1.13-h5",
"status": "unaffected"
},
{
"at": "11.1.10-h25",
"status": "unaffected"
},
{
"at": "11.1.7-h6",
"status": "unaffected"
},
{
"at": "11.1.6-h32",
"status": "unaffected"
},
{
"at": "11.1.4-h33",
"status": "unaffected"
}
],
"lessThan": "11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33",
"status": "affected",
"version": "11.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.2.18-h6",
"status": "unaffected"
},
{
"at": "10.2.16-h7",
"status": "unaffected"
},
{
"at": "10.2.13-h21",
"status": "unaffected"
},
{
"at": "10.2.10-h36",
"status": "unaffected"
},
{
"at": "10.2.7-h34",
"status": "unaffected"
}
],
"lessThan": "10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "10.2.10-h36",
"status": "unaffected"
}
],
"lessThan": "10.2.10-h36",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.2.7-h13",
"status": "unaffected"
}
],
"lessThan": "11.2.7-h13",
"status": "affected",
"version": "11.2.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThis issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists. To check if authentication cookies are enabled follow the steps below:\u003c/p\u003e\u003cp\u003eOn the Portal:\u003cbr\u003e\u003cbr\u003e1. Navigate to \u003cb\u003eNetwork\u003c/b\u003e \u0026gt; \u003cb\u003eGlobalProtect\u003c/b\u003e \u0026gt; \u003cb\u003ePortals\u003c/b\u003e in the management interface.\u003cbr\u003e2. Click on your \u003cb\u003ePortal Name\u003c/b\u003e and go to the \u003cb\u003eAgent\u003c/b\u003e tab.\u003cbr\u003e3. Click on your \u003cb\u003eAgent Configuration\u003c/b\u003e profile.\u003cbr\u003e4. Go to the \u003cb\u003eAuthentication\u003c/b\u003e tab.\u003cbr\u003e5. \u003cb\u003eGenerate cookie for authentication override\u003c/b\u003e or \u003cb\u003eAccept cookie for authentication override\u003c/b\u003e options are checked.\u003cbr\u003e\u003c/p\u003eOn the Gateway:\u003cbr\u003e\u003cbr\u003e1. Navigate to \u003cb\u003eNetwork\u003c/b\u003e \u0026gt; \u003cb\u003eGlobalProtect\u003c/b\u003e \u0026gt; \u003cb\u003eGateways\u003c/b\u003e in the management interface.\u003cbr\u003e2. Click on your \u003cb\u003eGateway Name\u003c/b\u003e and go to the \u003cb\u003eAgent\u003c/b\u003e tab.\u003cbr\u003e3. Click on your \u003cb\u003eClient Settings\u003c/b\u003e profile.\u003cbr\u003e4. Go to the \u003cb\u003eAuthentication Override\u003c/b\u003e tab.\u003cbr\u003e5. \u003cb\u003eAccept cookie for authentication override\u003c/b\u003e option is checked.\u003cp\u003e\u003c/p\u003e"
}
],
"value": "This issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists. To check if authentication cookies are enabled follow the steps below:\n\n\n\nOn the Portal:\n\n1. Navigate to Network \u003e GlobalProtect \u003e Portals in the management interface.\n2. Click on your Portal Name and go to the Agent tab.\n3. Click on your Agent Configuration profile.\n4. Go to the Authentication tab.\n5. Generate cookie for authentication override or Accept cookie for authentication override options are checked.\n\n\nOn the Gateway:\n\n1. Navigate to Network \u003e GlobalProtect \u003e Gateways in the management interface.\n2. Click on your Gateway Name and go to the Agent tab.\n3. Click on your Client Settings profile.\n4. Go to the Authentication Override tab.\n5. Accept cookie for authentication override option is checked."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:palo_alto_networks:cloud_ngfw:all:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*",
"versionEndExcluding": "12.1.7_12.1.4-h6",
"versionStartIncluding": "12.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.2.12_11.2.10-h7_11.2.7-h14_11.2.4-h17",
"versionStartIncluding": "11.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.1.15_11.1.13-h5_11.1.10-h25_11.1.7-h6_11.1.6-h32_11.1.4-h33",
"versionStartIncluding": "11.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.2.18-h6_10.2.16-h7_10.2.13-h21_10.2.10-h36_10.2.7-h34",
"versionStartIncluding": "10.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.2.10-h36",
"versionStartIncluding": "10.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.2.7-h13",
"versionStartIncluding": "11.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "other",
"value": "Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue."
}
],
"datePublic": "2026-05-13T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS\u00ae software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.\u003cbr\u003e\u003cbr\u003ePanorama and Cloud NGFW are not impacted by these issues.\u003c/p\u003e"
}
],
"value": "Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS\u00ae software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.\n\nPanorama and Cloud NGFW are not impacted by these issues."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePalo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied.\u003c/p\u003e"
}
],
"value": "Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"exploitMaturity": "ATTACKED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:A/AU:N/R:A/V:D/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-565",
"description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T17:20:05.451Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2026-0257"
}
],
"solutions": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eCloud NGFW All\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003ePAN-OS 12.1\u003cbr\u003e\u003c/td\u003e\n \u003ctd\u003e12.1.5 through 12.1.6\u003c/td\u003e\n \u003ctd\u003eUpgrade to 12.1.7 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e12.1.2 through 12.1.4-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 12.1.4-h6 or 12.1.7 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003ePAN-OS 11.2\u003cbr\u003e\u003c/td\u003e\n \u003ctd\u003e11.2.11 or later\u003c/td\u003e\n \u003ctd\u003eUpgrade to 11.2.12 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e11.2.8 through 11.2.10-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 11.2.10-h7 or 11.2.12 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e11.2.5 through 11.2.7-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 11.2.7-h14 or 11.2.12 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e11.2.0 through 11.2.4-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 11.2.4-h17 or 11.2.12 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003ePAN-OS 11.1\u003cbr\u003e\u003c/td\u003e\n \u003ctd\u003e11.1.14 or later\u003c/td\u003e\n \u003ctd\u003eUpgrade to 11.1.15 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e11.1.11 through 11.1.13-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 11.1.13-h5 or 11.1.15 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e11.1.8 through 11.1.10-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 11.1.10-h25 or 11.1.15 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e11.1.7 through 11.1.7-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 11.1.7-h6 or 11.1.15 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e11.1.5 through 11.1.6-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 11.1.6-h32 or 11.1.15 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e11.1.0 through 11.1.4-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 11.1.4-h33 or 11.1.15 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003ePAN-OS 10.2\u003cbr\u003e\u003c/td\u003e\n \u003ctd\u003e10.2.17 through 10.2.18-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 10.2.18 or 10.2.18-h6 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e10.2.14 through 10.2.16-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 10.2.16-h7 or 10.2.18 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e10.2.11 through 10.2.13-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 10.2.13-h21 or 10.2.18 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e10.2.8 through 10.2.10-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 10.2.10-h36 or 10.2.18 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e10.2.0 through 10.2.7-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 10.2.7-h34 or 10.2.18 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll older\u003cbr\u003eunsupported\u003cbr\u003ePAN-OS versions\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eUpgrade to a supported fixed version.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003ePrisma Access 10.2\u003cbr\u003e\u003c/td\u003e\n \u003ctd\u003e10.2.0 through 10.2.10-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 10.2.10-h36 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003ePrisma Access 11.2\u003cbr\u003e\u003c/td\u003e\n \u003ctd\u003e11.2.0 through 11.2.7-h*\u003c/td\u003e\n \u003ctd\u003eUpgrade to 11.2.7-h13 or later.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Version\nMinor Version\nSuggested Solution\nCloud NGFW All\nNo action needed.\n PAN-OS 12.1\n\n 12.1.5 through 12.1.6\n Upgrade to 12.1.7 or later.\n \n \n 12.1.2 through 12.1.4-h*\n Upgrade to 12.1.4-h6 or 12.1.7 or later.\n \n PAN-OS 11.2\n\n 11.2.11 or later\n Upgrade to 11.2.12 or later.\n \n \n 11.2.8 through 11.2.10-h*\n Upgrade to 11.2.10-h7 or 11.2.12 or later.\n \n \n 11.2.5 through 11.2.7-h*\n Upgrade to 11.2.7-h14 or 11.2.12 or later.\n \n \n 11.2.0 through 11.2.4-h*\n Upgrade to 11.2.4-h17 or 11.2.12 or later.\n \n PAN-OS 11.1\n\n 11.1.14 or later\n Upgrade to 11.1.15 or later.\n \n \n 11.1.11 through 11.1.13-h*\n Upgrade to 11.1.13-h5 or 11.1.15 or later.\n \n \n 11.1.8 through 11.1.10-h*\n Upgrade to 11.1.10-h25 or 11.1.15 or later.\n \n \n 11.1.7 through 11.1.7-h*\n Upgrade to 11.1.7-h6 or 11.1.15 or later.\n \n \n 11.1.5 through 11.1.6-h*\n Upgrade to 11.1.6-h32 or 11.1.15 or later.\n \n \n 11.1.0 through 11.1.4-h*\n Upgrade to 11.1.4-h33 or 11.1.15 or later.\n \n PAN-OS 10.2\n\n 10.2.17 through 10.2.18-h*\n Upgrade to 10.2.18 or 10.2.18-h6 or later.\n \n \n 10.2.14 through 10.2.16-h*\n Upgrade to 10.2.16-h7 or 10.2.18 or later.\n \n \n 10.2.11 through 10.2.13-h*\n Upgrade to 10.2.13-h21 or 10.2.18 or later.\n \n \n 10.2.8 through 10.2.10-h*\n Upgrade to 10.2.10-h36 or 10.2.18 or later.\n \n \n 10.2.0 through 10.2.7-h*\n Upgrade to 10.2.7-h34 or 10.2.18 or later.\n All older\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version.\n Prisma Access 10.2\n\n 10.2.0 through 10.2.10-h*\n Upgrade to 10.2.10-h36 or later.\n \n Prisma Access 11.2\n\n 11.2.0 through 11.2.7-h*\n Upgrade to 11.2.7-h13 or later."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003eNote\u003c/b\u003e:\u0026nbsp;With this fix, if the firewall is configured to use an authentication override cookie for the GlobalProtect Portal or Gateway, it will regenerate the cookie using a more secure method. Therefore, GP users will need to re-authenticate after a PAN-OS upgrade, even if a valid cookie is present. This is a one time requirement. Once they re-authenticate after the upgrade, the authentication override cookie and its validity will work as they do today."
}
],
"value": "Note:\u00a0With this fix, if the firewall is configured to use an authentication override cookie for the GlobalProtect Portal or Gateway, it will regenerate the cookie using a more secure method. Therefore, GP users will need to re-authenticate after a PAN-OS upgrade, even if a valid cookie is present. This is a one time requirement. Once they re-authenticate after the upgrade, the authentication override cookie and its validity will work as they do today."
}
],
"source": {
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-13T16:00:00.000Z",
"value": "Initial publication."
},
{
"lang": "en",
"time": "2026-05-29T17:15:00.000Z",
"value": "Updated exploitation status."
}
],
"title": "PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities",
"workarounds": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan\u003eCustomers can mitigate the risk of this issue by taking any of the following actions:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cspan\u003e\u003cb\u003e\u003cspan\u003eUse a dedicated certificate for \u003c/span\u003eAuthentication Override cookies:\u003c/b\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eGenerate a new certificate exclusively for authentication override cookies and store it securely. Do not reuse the portal or gateway certificate, and do not share this certificate with other features or users.\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003e\u003cb\u003eDisable Authentication Override:\u003c/b\u003e\u003c/span\u003e\u003cspan\u003e Uncheck the Authentication Override options (for generating and accepting cookies) in the GlobalProtect portal and gateway configuration.\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Customers can mitigate the risk of this issue by taking any of the following actions:\n\n\n\n\n\n * Use a dedicated certificate for Authentication Override cookies:\u00a0Generate a new certificate exclusively for authentication override cookies and store it securely. Do not reuse the portal or gateway certificate, and do not share this certificate with other features or users.\n * Disable Authentication Override: Uncheck the Authentication Override options (for generating and accepting cookies) in the GlobalProtect portal and gateway configuration."
}
],
"x_affectedList": [
"PAN-OS 12.1.6",
"PAN-OS 12.1.5",
"PAN-OS 12.1.4-h3",
"PAN-OS 12.1.4-h2",
"PAN-OS 12.1.4",
"PAN-OS 12.1.3-h3",
"PAN-OS 12.1.3-h1",
"PAN-OS 12.1.3",
"PAN-OS 12.1.2",
"PAN-OS 11.2.11",
"PAN-OS 11.2.10-h4",
"PAN-OS 11.2.10-h3",
"PAN-OS 11.2.10-h2",
"PAN-OS 11.2.10-h1",
"PAN-OS 11.2.10",
"PAN-OS 11.2.9",
"PAN-OS 11.2.8",
"PAN-OS 11.2.7-h11",
"PAN-OS 11.2.7-h10",
"PAN-OS 11.2.7-h8",
"PAN-OS 11.2.7-h7",
"PAN-OS 11.2.7-h4",
"PAN-OS 11.2.7-h3",
"PAN-OS 11.2.7-h2",
"PAN-OS 11.2.7-h1",
"PAN-OS 11.2.7",
"PAN-OS 11.2.6",
"PAN-OS 11.2.5",
"PAN-OS 11.2.4-h15",
"PAN-OS 11.2.4-h14",
"PAN-OS 11.2.4-h12",
"PAN-OS 11.2.4-h11",
"PAN-OS 11.2.4-h10",
"PAN-OS 11.2.4-h9",
"PAN-OS 11.2.4-h8",
"PAN-OS 11.2.4-h7",
"PAN-OS 11.2.4-h6",
"PAN-OS 11.2.4-h5",
"PAN-OS 11.2.4-h4",
"PAN-OS 11.2.4-h3",
"PAN-OS 11.2.4-h2",
"PAN-OS 11.2.4-h1",
"PAN-OS 11.2.4",
"PAN-OS 11.2.3-h5",
"PAN-OS 11.2.3-h4",
"PAN-OS 11.2.3-h3",
"PAN-OS 11.2.3-h2",
"PAN-OS 11.2.3-h1",
"PAN-OS 11.2.3",
"PAN-OS 11.2.2-h2",
"PAN-OS 11.2.2-h1",
"PAN-OS 11.2.1-h1",
"PAN-OS 11.2.1",
"PAN-OS 11.2.0-h1",
"PAN-OS 11.2.0",
"PAN-OS 11.1.13-h3",
"PAN-OS 11.1.13-h2",
"PAN-OS 11.1.13-h1",
"PAN-OS 11.1.13",
"PAN-OS 11.1.12",
"PAN-OS 11.1.11",
"PAN-OS 11.1.10-h21",
"PAN-OS 11.1.10-h12",
"PAN-OS 11.1.10-h10",
"PAN-OS 11.1.10-h9",
"PAN-OS 11.1.10-h7",
"PAN-OS 11.1.10-h5",
"PAN-OS 11.1.10-h4",
"PAN-OS 11.1.10-h1",
"PAN-OS 11.1.10",
"PAN-OS 11.1.9",
"PAN-OS 11.1.8",
"PAN-OS 11.1.6-h29",
"PAN-OS 11.1.6-h25",
"PAN-OS 11.1.6-h23",
"PAN-OS 11.1.6-h22",
"PAN-OS 11.1.6-h21",
"PAN-OS 11.1.6-h20",
"PAN-OS 11.1.6-h19",
"PAN-OS 11.1.6-h18",
"PAN-OS 11.1.6-h17",
"PAN-OS 11.1.6-h14",
"PAN-OS 11.1.6-h10",
"PAN-OS 11.1.6-h7",
"PAN-OS 11.1.6-h6",
"PAN-OS 11.1.6-h4",
"PAN-OS 11.1.6-h3",
"PAN-OS 11.1.6-h2",
"PAN-OS 11.1.6-h1",
"PAN-OS 11.1.6",
"PAN-OS 11.1.5-h1",
"PAN-OS 11.1.5",
"PAN-OS 11.1.4-h27",
"PAN-OS 11.1.4-h25",
"PAN-OS 11.1.4-h18",
"PAN-OS 11.1.4-h17",
"PAN-OS 11.1.4-h15",
"PAN-OS 11.1.4-h13",
"PAN-OS 11.1.4-h12",
"PAN-OS 11.1.4-h11",
"PAN-OS 11.1.4-h10",
"PAN-OS 11.1.4-h9",
"PAN-OS 11.1.4-h8",
"PAN-OS 11.1.4-h7",
"PAN-OS 11.1.4-h6",
"PAN-OS 11.1.4-h5",
"PAN-OS 11.1.4-h4",
"PAN-OS 11.1.4-h3",
"PAN-OS 11.1.4-h2",
"PAN-OS 11.1.4-h1",
"PAN-OS 11.1.4",
"PAN-OS 11.1.3-h13",
"PAN-OS 11.1.3-h12",
"PAN-OS 11.1.3-h11",
"PAN-OS 11.1.3-h10",
"PAN-OS 11.1.3-h9",
"PAN-OS 11.1.3-h8",
"PAN-OS 11.1.3-h7",
"PAN-OS 11.1.3-h6",
"PAN-OS 11.1.3-h5",
"PAN-OS 11.1.3-h4",
"PAN-OS 11.1.3-h3",
"PAN-OS 11.1.3-h2",
"PAN-OS 11.1.3-h1",
"PAN-OS 11.1.3",
"PAN-OS 11.1.2-h18",
"PAN-OS 11.1.2-h17",
"PAN-OS 11.1.2-h16",
"PAN-OS 11.1.2-h15",
"PAN-OS 11.1.2-h14",
"PAN-OS 11.1.2-h13",
"PAN-OS 11.1.2-h12",
"PAN-OS 11.1.2-h11",
"PAN-OS 11.1.2-h10",
"PAN-OS 11.1.2-h9",
"PAN-OS 11.1.2-h8",
"PAN-OS 11.1.2-h7",
"PAN-OS 11.1.2-h6",
"PAN-OS 11.1.2-h5",
"PAN-OS 11.1.2-h4",
"PAN-OS 11.1.2-h3",
"PAN-OS 11.1.2-h2",
"PAN-OS 11.1.2-h1",
"PAN-OS 11.1.2",
"PAN-OS 11.1.1-h2",
"PAN-OS 11.1.1-h1",
"PAN-OS 11.1.1",
"PAN-OS 11.1.0-h4",
"PAN-OS 11.1.0-h3",
"PAN-OS 11.1.0-h2",
"PAN-OS 11.1.0-h1",
"PAN-OS 11.1.0",
"PAN-OS 10.2.18-h1",
"PAN-OS 10.2.18",
"PAN-OS 10.2.17",
"PAN-OS 10.2.16-h6",
"PAN-OS 10.2.16-h4",
"PAN-OS 10.2.16-h1",
"PAN-OS 10.2.16",
"PAN-OS 10.2.15",
"PAN-OS 10.2.14-h1",
"PAN-OS 10.2.14",
"PAN-OS 10.2.13-h18",
"PAN-OS 10.2.13-h16",
"PAN-OS 10.2.13-h15",
"PAN-OS 10.2.13-h10",
"PAN-OS 10.2.13-h7",
"PAN-OS 10.2.13-h5",
"PAN-OS 10.2.13-h4",
"PAN-OS 10.2.13-h3",
"PAN-OS 10.2.13-h2",
"PAN-OS 10.2.13-h1",
"PAN-OS 10.2.13",
"PAN-OS 10.2.12-h6",
"PAN-OS 10.2.12-h5",
"PAN-OS 10.2.12-h4",
"PAN-OS 10.2.12-h3",
"PAN-OS 10.2.12-h2",
"PAN-OS 10.2.12-h1",
"PAN-OS 10.2.12",
"PAN-OS 10.2.11-h13",
"PAN-OS 10.2.11-h12",
"PAN-OS 10.2.11-h11",
"PAN-OS 10.2.11-h10",
"PAN-OS 10.2.11-h9",
"PAN-OS 10.2.11-h8",
"PAN-OS 10.2.11-h7",
"PAN-OS 10.2.11-h6",
"PAN-OS 10.2.11-h5",
"PAN-OS 10.2.11-h4",
"PAN-OS 10.2.11-h3",
"PAN-OS 10.2.11-h2",
"PAN-OS 10.2.11-h1",
"PAN-OS 10.2.11",
"PAN-OS 10.2.10-h31",
"PAN-OS 10.2.10-h30",
"PAN-OS 10.2.10-h27",
"PAN-OS 10.2.10-h26",
"PAN-OS 10.2.10-h23",
"PAN-OS 10.2.10-h21",
"PAN-OS 10.2.10-h18",
"PAN-OS 10.2.10-h17",
"PAN-OS 10.2.10-h14",
"PAN-OS 10.2.10-h13",
"PAN-OS 10.2.10-h12",
"PAN-OS 10.2.10-h11",
"PAN-OS 10.2.10-h10",
"PAN-OS 10.2.10-h9",
"PAN-OS 10.2.10-h8",
"PAN-OS 10.2.10-h7",
"PAN-OS 10.2.10-h6",
"PAN-OS 10.2.10-h5",
"PAN-OS 10.2.10-h4",
"PAN-OS 10.2.10-h3",
"PAN-OS 10.2.10-h2",
"PAN-OS 10.2.10-h1",
"PAN-OS 10.2.10",
"PAN-OS 10.2.9-h21",
"PAN-OS 10.2.9-h20",
"PAN-OS 10.2.9-h19",
"PAN-OS 10.2.9-h18",
"PAN-OS 10.2.9-h17",
"PAN-OS 10.2.9-h16",
"PAN-OS 10.2.9-h15",
"PAN-OS 10.2.9-h14",
"PAN-OS 10.2.9-h13",
"PAN-OS 10.2.9-h12",
"PAN-OS 10.2.9-h11",
"PAN-OS 10.2.9-h10",
"PAN-OS 10.2.9-h9",
"PAN-OS 10.2.9-h8",
"PAN-OS 10.2.9-h7",
"PAN-OS 10.2.9-h6",
"PAN-OS 10.2.9-h5",
"PAN-OS 10.2.9-h4",
"PAN-OS 10.2.9-h3",
"PAN-OS 10.2.9-h2",
"PAN-OS 10.2.9-h1",
"PAN-OS 10.2.9",
"PAN-OS 10.2.8-h21",
"PAN-OS 10.2.8-h20",
"PAN-OS 10.2.8-h19",
"PAN-OS 10.2.8-h18",
"PAN-OS 10.2.8-h17",
"PAN-OS 10.2.8-h16",
"PAN-OS 10.2.8-h15",
"PAN-OS 10.2.8-h14",
"PAN-OS 10.2.8-h13",
"PAN-OS 10.2.8-h12",
"PAN-OS 10.2.8-h11",
"PAN-OS 10.2.8-h10",
"PAN-OS 10.2.8-h9",
"PAN-OS 10.2.8-h8",
"PAN-OS 10.2.8-h7",
"PAN-OS 10.2.8-h6",
"PAN-OS 10.2.8-h5",
"PAN-OS 10.2.8-h4",
"PAN-OS 10.2.8-h3",
"PAN-OS 10.2.8-h2",
"PAN-OS 10.2.8-h1",
"PAN-OS 10.2.8",
"PAN-OS 10.2.7-h32",
"PAN-OS 10.2.7-h24",
"PAN-OS 10.2.7-h23",
"PAN-OS 10.2.7-h22",
"PAN-OS 10.2.7-h21",
"PAN-OS 10.2.7-h20",
"PAN-OS 10.2.7-h19",
"PAN-OS 10.2.7-h18",
"PAN-OS 10.2.7-h17",
"PAN-OS 10.2.7-h16",
"PAN-OS 10.2.7-h15",
"PAN-OS 10.2.7-h14",
"PAN-OS 10.2.7-h13",
"PAN-OS 10.2.7-h12",
"PAN-OS 10.2.7-h11",
"PAN-OS 10.2.7-h10",
"PAN-OS 10.2.7-h9",
"PAN-OS 10.2.7-h8",
"PAN-OS 10.2.7-h7",
"PAN-OS 10.2.7-h6",
"PAN-OS 10.2.7-h5",
"PAN-OS 10.2.7-h4",
"PAN-OS 10.2.7-h3",
"PAN-OS 10.2.7-h2",
"PAN-OS 10.2.7-h1",
"PAN-OS 10.2.7",
"PAN-OS 10.2.6-h6",
"PAN-OS 10.2.6-h5",
"PAN-OS 10.2.6-h4",
"PAN-OS 10.2.6-h3",
"PAN-OS 10.2.6-h2",
"PAN-OS 10.2.6-h1",
"PAN-OS 10.2.6",
"PAN-OS 10.2.5-h9",
"PAN-OS 10.2.5-h8",
"PAN-OS 10.2.5-h7",
"PAN-OS 10.2.5-h6",
"PAN-OS 10.2.5-h5",
"PAN-OS 10.2.5-h4",
"PAN-OS 10.2.5-h3",
"PAN-OS 10.2.5-h2",
"PAN-OS 10.2.5-h1",
"PAN-OS 10.2.5",
"PAN-OS 10.2.4-h32",
"PAN-OS 10.2.4-h31",
"PAN-OS 10.2.4-h30",
"PAN-OS 10.2.4-h29",
"PAN-OS 10.2.4-h28",
"PAN-OS 10.2.4-h27",
"PAN-OS 10.2.4-h26",
"PAN-OS 10.2.4-h25",
"PAN-OS 10.2.4-h24",
"PAN-OS 10.2.4-h23",
"PAN-OS 10.2.4-h22",
"PAN-OS 10.2.4-h21",
"PAN-OS 10.2.4-h20",
"PAN-OS 10.2.4-h19",
"PAN-OS 10.2.4-h18",
"PAN-OS 10.2.4-h17",
"PAN-OS 10.2.4-h16",
"PAN-OS 10.2.4-h15",
"PAN-OS 10.2.4-h14",
"PAN-OS 10.2.4-h13",
"PAN-OS 10.2.4-h12",
"PAN-OS 10.2.4-h11",
"PAN-OS 10.2.4-h10",
"PAN-OS 10.2.4-h9",
"PAN-OS 10.2.4-h8",
"PAN-OS 10.2.4-h7",
"PAN-OS 10.2.4-h6",
"PAN-OS 10.2.4-h5",
"PAN-OS 10.2.4-h4",
"PAN-OS 10.2.4-h3",
"PAN-OS 10.2.4-h2",
"PAN-OS 10.2.4-h1",
"PAN-OS 10.2.4",
"PAN-OS 10.2.3-h14",
"PAN-OS 10.2.3-h13",
"PAN-OS 10.2.3-h12",
"PAN-OS 10.2.3-h11",
"PAN-OS 10.2.3-h10",
"PAN-OS 10.2.3-h9",
"PAN-OS 10.2.3-h8",
"PAN-OS 10.2.3-h7",
"PAN-OS 10.2.3-h6",
"PAN-OS 10.2.3-h5",
"PAN-OS 10.2.3-h4",
"PAN-OS 10.2.3-h3",
"PAN-OS 10.2.3-h2",
"PAN-OS 10.2.3-h1",
"PAN-OS 10.2.3",
"PAN-OS 10.2.2-h6",
"PAN-OS 10.2.2-h5",
"PAN-OS 10.2.2-h4",
"PAN-OS 10.2.2-h3",
"PAN-OS 10.2.2-h2",
"PAN-OS 10.2.2-h1",
"PAN-OS 10.2.2",
"PAN-OS 10.2.1-h3",
"PAN-OS 10.2.1-h2",
"PAN-OS 10.2.1-h1",
"PAN-OS 10.2.1",
"PAN-OS 10.2.0-h4",
"PAN-OS 10.2.0-h3",
"PAN-OS 10.2.0-h2",
"PAN-OS 10.2.0-h1",
"PAN-OS 10.2.0"
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2026-0257",
"datePublished": "2026-05-13T18:15:10.172Z",
"dateReserved": "2025-11-03T20:44:17.691Z",
"dateUpdated": "2026-05-30T03:55:17.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0227 (GCVE-0-2026-0227)
Vulnerability from – Published: 2026-01-15 18:45 – Updated: 2026-01-30 23:36
VLAI
Title
PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway and Portal
Summary
A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.paloaltonetworks.com/CVE-2026-0227 | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Palo Alto Networks | Cloud NGFW |
Unaffected:
All
(custom)
|
|
| Palo Alto Networks | PAN-OS |
Affected:
12.1.2 , < 12.1.4, 12.1.3-h3
(custom)
Affected: 11.2.0 , < 11.2.10-h2, 11.2.7-h8, 11.2.4-h15 (custom) Affected: 11.1.0 , < 11.1.13, 11.1.10-h9, 11.1.6-h23, 11.1.4-h27 (custom) Affected: 10.2.0 , < 10.2.18-h1, 10.2.16-h6, 10.2.13-h18, 10.2.10-h30, 10.2.7-h32 (custom) Affected: 10.1.0 , < 10.1.14-h20 (custom) cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:12.1.2:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.9:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.8:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h14:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h12:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h11:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h9:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h8:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.12:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.11:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h22:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h21:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h20:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h19:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h18:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h17:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h14:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h25:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h18:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h17:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h15:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h13:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h12:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h11:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h9:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h8:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.18:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.17:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.15:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.14:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h16:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h15:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h27:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h26:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h23:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h21:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h18:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h17:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h14:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h13:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h12:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h11:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h9:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h8:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h24:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h23:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h22:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h21:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h20:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h19:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h18:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h17:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h16:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h15:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h14:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h13:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h12:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h11:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h9:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h8:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h32:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h31:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h30:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h29:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h28:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h27:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h26:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h25:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h24:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h23:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h22:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h21:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h20:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h19:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h18:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h17:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h16:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h15:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h14:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h13:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h12:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h11:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h9:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h8:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h19:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h16:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h15:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h14:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h13:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h11:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h10:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h9:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h8:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h7:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h6:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h5:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h4:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h3:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h2:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h1:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:-:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.13:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.12:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.11:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.10:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.9:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.8:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.7:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.6:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.5:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.4:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.3:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.2:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.1:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.0:*:*:*:*:*:*:* |
|
| Palo Alto Networks | Prisma Access |
Affected:
11.2 , < 11.2.7-h8
(custom)
Affected: 10.2 , < 10.2.10-h29, 10.2.4-h43 (custom) |
Date Public
2026-01-14 17:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T19:10:53.100502Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T19:10:59.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:12.1.2:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.9:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.8:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h14:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h12:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h11:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h9:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h8:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.12:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.11:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h22:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h21:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h20:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h19:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h18:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h17:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h14:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h25:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h18:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h17:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h15:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h13:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h12:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h11:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h9:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h8:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.18:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.17:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.15:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.14:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h16:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h15:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h27:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h26:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h23:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h21:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h18:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h17:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h14:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h13:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h12:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h11:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h9:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h8:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h24:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h23:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h22:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h21:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h20:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h19:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h18:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h17:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h16:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h15:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h14:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h13:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h12:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h11:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h9:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h8:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h32:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h31:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h30:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h29:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h28:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h27:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h26:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h25:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h24:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h23:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h22:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h21:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h20:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h19:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h18:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h17:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h16:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h15:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h14:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h13:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h12:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h11:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h9:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h8:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h19:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h16:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h15:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h14:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h13:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h11:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h10:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h9:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h8:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h7:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h6:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h5:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h4:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h3:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h2:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h1:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:-:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.13:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.12:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.11:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.10:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.9:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.8:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.7:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.6:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.5:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.4:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.3:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.2:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.1:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "12.1.4",
"status": "unaffected"
},
{
"at": "12.1.3-h3",
"status": "unaffected"
}
],
"lessThan": "12.1.4, 12.1.3-h3",
"status": "affected",
"version": "12.1.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.2.10-h2",
"status": "unaffected"
},
{
"at": "11.2.7-h8",
"status": "unaffected"
},
{
"at": "11.2.4-h15",
"status": "unaffected"
}
],
"lessThan": "11.2.10-h2, 11.2.7-h8, 11.2.4-h15",
"status": "affected",
"version": "11.2.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.1.13",
"status": "unaffected"
},
{
"at": "11.1.10-h9",
"status": "unaffected"
},
{
"at": "11.1.6-h23",
"status": "unaffected"
},
{
"at": "11.1.4-h27",
"status": "unaffected"
}
],
"lessThan": "11.1.13, 11.1.10-h9, 11.1.6-h23, 11.1.4-h27",
"status": "affected",
"version": "11.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.2.18-h1",
"status": "unaffected"
},
{
"at": "10.2.16-h6",
"status": "unaffected"
},
{
"at": "10.2.13-h18",
"status": "unaffected"
},
{
"at": "10.2.10-h30",
"status": "unaffected"
},
{
"at": "10.2.7-h32",
"status": "unaffected"
}
],
"lessThan": "10.2.18-h1, 10.2.16-h6, 10.2.13-h18, 10.2.10-h30, 10.2.7-h32",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.14-h20",
"status": "unaffected"
}
],
"lessThan": "10.1.14-h20",
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "11.2.7-h8",
"status": "unaffected"
}
],
"lessThan": "11.2.7-h8",
"status": "affected",
"version": "11.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.2.10-h29",
"status": "unaffected"
},
{
"at": "10.2.4-h43",
"status": "unaffected"
}
],
"lessThan": "10.2.10-h29, 10.2.4-h43",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is applicable only to PAN-OS NGFW or Prisma Access configurations with an enabled GlobalProtect gateway or portal."
}
],
"value": "This issue is applicable only to PAN-OS NGFW or Prisma Access configurations with an enabled GlobalProtect gateway or portal."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:palo_alto_networks:cloud_ngfw:all:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*",
"versionEndExcluding": "12.1.4,_12.1.3-h3",
"versionStartIncluding": "12.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.2.10-h2,_11.2.7-h8,_11.2.4-h15",
"versionStartIncluding": "11.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.1.13,_11.1.10-h9,_11.1.6-h23,_11.1.4-h27",
"versionStartIncluding": "11.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.2.18-h1,_10.2.16-h6,_10.2.13-h18,_10.2.10-h30,_10.2.7-h32",
"versionStartIncluding": "10.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.1.14-h20",
"versionStartIncluding": "10.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.2.7-h8",
"versionStartIncluding": "11.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.2.10-h29,_10.2.4-h43",
"versionStartIncluding": "10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "an external reporter"
}
],
"datePublic": "2026-01-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode."
}
],
"value": "A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003ePalo Alto Networks is not aware of any malicious exploitation of this issue.\u003c/span\u003e"
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-210",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-210 Abuse Existing Functionality"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T23:36:56.887Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2026-0227"
}
],
"solutions": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctable class=\"tbl\"\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eCloud NGFW All\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 12.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e12.1.2 through 12.1.3\u003c/td\u003e\u003ctd\u003eUpgrade to 12.1.4 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.2\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e11.2.8 through 11.2.10\u003c/td\u003e\u003ctd\u003eUpgrade to 11.2.10-h2 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003e11.2.5 through 11.2.7\u003c/td\u003e\u003ctd\u003eUpgrade to 11.2.7-h8 or 11.2.10-h2 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003e11.2.0 through 11.2.4\u003c/td\u003e\u003ctd\u003eUpgrade to 11.2.4-h15 or 11.2.10-h2 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e11.1.11 through 11.1.12\u003c/td\u003e\u003ctd\u003eUpgrade to 11.1.13 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003e11.1.7 through 11.1.10\u003c/td\u003e\u003ctd\u003eUpgrade to 11.1.10-h9 or 11.1.13 later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003e11.1.5 through 11.1.6\u003c/td\u003e\u003ctd\u003eUpgrade to 11.1.6-h23 or 11.1.13 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003e11.1.0 through 11.1.4\u003c/td\u003e\u003ctd\u003eUpgrade to 11.1.4-h27 or 11.1.13 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 10.2\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e10.2.17 through 10.2.18\u003c/td\u003e\u003ctd\u003eUpgrade to 10.2.18-h1 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003e10.2.14 through 10.2.16\u003c/td\u003e\u003ctd\u003eUpgrade to 10.2.16-h6 or 10.2.18-h1 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003e10.2.11 through 10.2.13\u003c/td\u003e\u003ctd\u003eUpgrade to 10.2.13-h18 or 10.2.18-h1 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003e10.2.8 through 10.2.10\u003c/td\u003e\u003ctd\u003eUpgrade to 10.2.10-h30 or 10.2.18-h1 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003e10.2.0 through 10.2.7\u003c/td\u003e\u003ctd\u003eUpgrade to 10.2.7-h32 or 10.2.18-h1 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;PAN-OS 10.1\u003c/td\u003e\u003ctd\u003e\u0026nbsp;10.1.0 through 10.1.14\u003c/td\u003e\u003ctd\u003eUpgrade to 10.1.14-h20 or later.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll older\u003cbr\u003eunsupported\u003cbr\u003ePAN-OS versions\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eUpgrade to a supported fixed version.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrisma Access 11.2\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e11.2.0 through 11.2.7\u003c/td\u003e\u003ctd\u003eUpgrade to 11.2.7-h8 or later.*\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrisma Access 10.2\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e10.2.0 through 10.2.10\u003c/td\u003e\u003ctd\u003eUpgrade to 10.2.10-h29 or later.*\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e* See the note under Product Status for information regarding Prisma Access upgrades."
}
],
"value": "VERSION MINOR VERSION SUGGESTED SOLUTION\nCloud NGFW All No action needed.\nPAN-OS 12.1 12.1.2 through 12.1.3 Upgrade to 12.1.4 or later.\nPAN-OS 11.2 11.2.8 through 11.2.10 Upgrade to 11.2.10-h2 or later.\n 11.2.5 through 11.2.7 Upgrade to 11.2.7-h8 or 11.2.10-h2 or later.\n 11.2.0 through 11.2.4 Upgrade to 11.2.4-h15 or 11.2.10-h2 or later.\nPAN-OS 11.1 11.1.11 through 11.1.12 Upgrade to 11.1.13 or later.\n 11.1.7 through 11.1.10 Upgrade to 11.1.10-h9 or 11.1.13 later.\n 11.1.5 through 11.1.6 Upgrade to 11.1.6-h23 or 11.1.13 or later.\n 11.1.0 through 11.1.4 Upgrade to 11.1.4-h27 or 11.1.13 or later.\nPAN-OS 10.2 10.2.17 through 10.2.18 Upgrade to 10.2.18-h1 or later.\n 10.2.14 through 10.2.16 Upgrade to 10.2.16-h6 or 10.2.18-h1 or later.\n 10.2.11 through 10.2.13 Upgrade to 10.2.13-h18 or 10.2.18-h1 or later.\n 10.2.8 through 10.2.10 Upgrade to 10.2.10-h30 or 10.2.18-h1 or later.\n 10.2.0 through 10.2.7 Upgrade to 10.2.7-h32 or 10.2.18-h1 or later.\n PAN-OS 10.1 10.1.0 through 10.1.14 Upgrade to 10.1.14-h20 or later. \nAll older Upgrade to a supported fixed version.\nunsupported\nPAN-OS versions\nPrisma Access 11.2 11.2.0 through 11.2.7 Upgrade to 11.2.7-h8 or later.*\nPrisma Access 10.2 10.2.0 through 10.2.10 Upgrade to 10.2.10-h29 or later.*\n\n\n* See the note under Product Status for information regarding Prisma Access upgrades."
}
],
"source": {
"discovery": "USER"
},
"timeline": [
{
"lang": "en",
"time": "2026-01-16T18:15:00.000Z",
"value": "Added 10.2.4-h43 to Prisma Access Fix Versions."
},
{
"lang": "en",
"time": "2026-01-14T18:15:00.000Z",
"value": "Changed recommended fix version from 11.2.4-h14 to 11.2.4-h15."
},
{
"lang": "en",
"time": "2026-01-14T17:00:00.000Z",
"value": "Initial Publication"
},
{
"lang": "en",
"time": "2026-01-30T23:30:00.000Z",
"value": "Fixed a broken link and updated the Solutions table."
}
],
"title": "PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway and Portal",
"workarounds": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No known workarounds exist for this issue."
}
],
"value": "No known workarounds exist for this issue."
}
],
"x_affectedList": [
"PAN-OS 12.1.3-h1",
"PAN-OS 12.1.3",
"PAN-OS 12.1.2",
"PAN-OS 11.2.10-h1",
"PAN-OS 11.2.10",
"PAN-OS 11.2.9",
"PAN-OS 11.2.8",
"PAN-OS 11.2.7-h7",
"PAN-OS 11.2.7-h4",
"PAN-OS 11.2.7-h3",
"PAN-OS 11.2.7-h2",
"PAN-OS 11.2.7-h1",
"PAN-OS 11.2.7",
"PAN-OS 11.2.6",
"PAN-OS 11.2.5",
"PAN-OS 11.2.4-h14",
"PAN-OS 11.2.4-h12",
"PAN-OS 11.2.4-h11",
"PAN-OS 11.2.4-h10",
"PAN-OS 11.2.4-h9",
"PAN-OS 11.2.4-h8",
"PAN-OS 11.2.4-h7",
"PAN-OS 11.2.4-h6",
"PAN-OS 11.2.4-h5",
"PAN-OS 11.2.4-h4",
"PAN-OS 11.2.4-h3",
"PAN-OS 11.2.4-h2",
"PAN-OS 11.2.4-h1",
"PAN-OS 11.2.4",
"PAN-OS 11.2.3-h5",
"PAN-OS 11.2.3-h4",
"PAN-OS 11.2.3-h3",
"PAN-OS 11.2.3-h2",
"PAN-OS 11.2.3-h1",
"PAN-OS 11.2.3",
"PAN-OS 11.2.2-h2",
"PAN-OS 11.2.2-h1",
"PAN-OS 11.2.1-h1",
"PAN-OS 11.2.1",
"PAN-OS 11.2.0-h1",
"PAN-OS 11.2.0",
"PAN-OS 11.1.12",
"PAN-OS 11.1.11",
"PAN-OS 11.1.10-h7",
"PAN-OS 11.1.10-h5",
"PAN-OS 11.1.10-h4",
"PAN-OS 11.1.10-h1",
"PAN-OS 11.1.10",
"PAN-OS 11.1.9",
"PAN-OS 11.1.8",
"PAN-OS 11.1.6-h22",
"PAN-OS 11.1.6-h21",
"PAN-OS 11.1.6-h20",
"PAN-OS 11.1.6-h19",
"PAN-OS 11.1.6-h18",
"PAN-OS 11.1.6-h17",
"PAN-OS 11.1.6-h14",
"PAN-OS 11.1.6-h10",
"PAN-OS 11.1.6-h7",
"PAN-OS 11.1.6-h6",
"PAN-OS 11.1.6-h4",
"PAN-OS 11.1.6-h3",
"PAN-OS 11.1.6-h2",
"PAN-OS 11.1.6-h1",
"PAN-OS 11.1.6",
"PAN-OS 11.1.5-h1",
"PAN-OS 11.1.5",
"PAN-OS 11.1.4-h25",
"PAN-OS 11.1.4-h18",
"PAN-OS 11.1.4-h17",
"PAN-OS 11.1.4-h15",
"PAN-OS 11.1.4-h13",
"PAN-OS 11.1.4-h12",
"PAN-OS 11.1.4-h11",
"PAN-OS 11.1.4-h10",
"PAN-OS 11.1.4-h9",
"PAN-OS 11.1.4-h8",
"PAN-OS 11.1.4-h7",
"PAN-OS 11.1.4-h6",
"PAN-OS 11.1.4-h5",
"PAN-OS 11.1.4-h4",
"PAN-OS 11.1.4-h3",
"PAN-OS 11.1.4-h2",
"PAN-OS 11.1.4-h1",
"PAN-OS 11.1.4",
"PAN-OS 11.1.3-h13",
"PAN-OS 11.1.3-h12",
"PAN-OS 11.1.3-h11",
"PAN-OS 11.1.3-h10",
"PAN-OS 11.1.3-h9",
"PAN-OS 11.1.3-h8",
"PAN-OS 11.1.3-h7",
"PAN-OS 11.1.3-h6",
"PAN-OS 11.1.3-h5",
"PAN-OS 11.1.3-h4",
"PAN-OS 11.1.3-h3",
"PAN-OS 11.1.3-h2",
"PAN-OS 11.1.3-h1",
"PAN-OS 11.1.3",
"PAN-OS 11.1.2-h18",
"PAN-OS 11.1.2-h17",
"PAN-OS 11.1.2-h16",
"PAN-OS 11.1.2-h15",
"PAN-OS 11.1.2-h14",
"PAN-OS 11.1.2-h13",
"PAN-OS 11.1.2-h12",
"PAN-OS 11.1.2-h11",
"PAN-OS 11.1.2-h10",
"PAN-OS 11.1.2-h9",
"PAN-OS 11.1.2-h8",
"PAN-OS 11.1.2-h7",
"PAN-OS 11.1.2-h6",
"PAN-OS 11.1.2-h5",
"PAN-OS 11.1.2-h4",
"PAN-OS 11.1.2-h3",
"PAN-OS 11.1.2-h2",
"PAN-OS 11.1.2-h1",
"PAN-OS 11.1.2",
"PAN-OS 11.1.1-h2",
"PAN-OS 11.1.1-h1",
"PAN-OS 11.1.1",
"PAN-OS 11.1.0-h4",
"PAN-OS 11.1.0-h3",
"PAN-OS 11.1.0-h2",
"PAN-OS 11.1.0-h1",
"PAN-OS 11.1.0",
"PAN-OS 10.2.18",
"PAN-OS 10.2.17",
"PAN-OS 10.2.16-h4",
"PAN-OS 10.2.16-h1",
"PAN-OS 10.2.16",
"PAN-OS 10.2.15",
"PAN-OS 10.2.14-h1",
"PAN-OS 10.2.14",
"PAN-OS 10.2.13-h16",
"PAN-OS 10.2.13-h15",
"PAN-OS 10.2.13-h10",
"PAN-OS 10.2.13-h7",
"PAN-OS 10.2.13-h5",
"PAN-OS 10.2.13-h4",
"PAN-OS 10.2.13-h3",
"PAN-OS 10.2.13-h2",
"PAN-OS 10.2.13-h1",
"PAN-OS 10.2.13",
"PAN-OS 10.2.12-h6",
"PAN-OS 10.2.12-h5",
"PAN-OS 10.2.12-h4",
"PAN-OS 10.2.12-h3",
"PAN-OS 10.2.12-h2",
"PAN-OS 10.2.12-h1",
"PAN-OS 10.2.12",
"PAN-OS 10.2.11-h13",
"PAN-OS 10.2.11-h12",
"PAN-OS 10.2.11-h11",
"PAN-OS 10.2.11-h10",
"PAN-OS 10.2.11-h9",
"PAN-OS 10.2.11-h8",
"PAN-OS 10.2.11-h7",
"PAN-OS 10.2.11-h6",
"PAN-OS 10.2.11-h5",
"PAN-OS 10.2.11-h4",
"PAN-OS 10.2.11-h3",
"PAN-OS 10.2.11-h2",
"PAN-OS 10.2.11-h1",
"PAN-OS 10.2.11",
"PAN-OS 10.2.10-h27",
"PAN-OS 10.2.10-h26",
"PAN-OS 10.2.10-h23",
"PAN-OS 10.2.10-h21",
"PAN-OS 10.2.10-h18",
"PAN-OS 10.2.10-h17",
"PAN-OS 10.2.10-h14",
"PAN-OS 10.2.10-h13",
"PAN-OS 10.2.10-h12",
"PAN-OS 10.2.10-h11",
"PAN-OS 10.2.10-h10",
"PAN-OS 10.2.10-h9",
"PAN-OS 10.2.10-h8",
"PAN-OS 10.2.10-h7",
"PAN-OS 10.2.10-h6",
"PAN-OS 10.2.10-h5",
"PAN-OS 10.2.10-h4",
"PAN-OS 10.2.10-h3",
"PAN-OS 10.2.10-h2",
"PAN-OS 10.2.10-h1",
"PAN-OS 10.2.10",
"PAN-OS 10.2.9-h21",
"PAN-OS 10.2.9-h20",
"PAN-OS 10.2.9-h19",
"PAN-OS 10.2.9-h18",
"PAN-OS 10.2.9-h17",
"PAN-OS 10.2.9-h16",
"PAN-OS 10.2.9-h15",
"PAN-OS 10.2.9-h14",
"PAN-OS 10.2.9-h13",
"PAN-OS 10.2.9-h12",
"PAN-OS 10.2.9-h11",
"PAN-OS 10.2.9-h10",
"PAN-OS 10.2.9-h9",
"PAN-OS 10.2.9-h8",
"PAN-OS 10.2.9-h7",
"PAN-OS 10.2.9-h6",
"PAN-OS 10.2.9-h5",
"PAN-OS 10.2.9-h4",
"PAN-OS 10.2.9-h3",
"PAN-OS 10.2.9-h2",
"PAN-OS 10.2.9-h1",
"PAN-OS 10.2.9",
"PAN-OS 10.2.8-h21",
"PAN-OS 10.2.8-h20",
"PAN-OS 10.2.8-h19",
"PAN-OS 10.2.8-h18",
"PAN-OS 10.2.8-h17",
"PAN-OS 10.2.8-h16",
"PAN-OS 10.2.8-h15",
"PAN-OS 10.2.8-h14",
"PAN-OS 10.2.8-h13",
"PAN-OS 10.2.8-h12",
"PAN-OS 10.2.8-h11",
"PAN-OS 10.2.8-h10",
"PAN-OS 10.2.8-h9",
"PAN-OS 10.2.8-h8",
"PAN-OS 10.2.8-h7",
"PAN-OS 10.2.8-h6",
"PAN-OS 10.2.8-h5",
"PAN-OS 10.2.8-h4",
"PAN-OS 10.2.8-h3",
"PAN-OS 10.2.8-h2",
"PAN-OS 10.2.8-h1",
"PAN-OS 10.2.8",
"PAN-OS 10.2.7-h24",
"PAN-OS 10.2.7-h23",
"PAN-OS 10.2.7-h22",
"PAN-OS 10.2.7-h21",
"PAN-OS 10.2.7-h20",
"PAN-OS 10.2.7-h19",
"PAN-OS 10.2.7-h18",
"PAN-OS 10.2.7-h17",
"PAN-OS 10.2.7-h16",
"PAN-OS 10.2.7-h15",
"PAN-OS 10.2.7-h14",
"PAN-OS 10.2.7-h13",
"PAN-OS 10.2.7-h12",
"PAN-OS 10.2.7-h11",
"PAN-OS 10.2.7-h10",
"PAN-OS 10.2.7-h9",
"PAN-OS 10.2.7-h8",
"PAN-OS 10.2.7-h7",
"PAN-OS 10.2.7-h6",
"PAN-OS 10.2.7-h5",
"PAN-OS 10.2.7-h4",
"PAN-OS 10.2.7-h3",
"PAN-OS 10.2.7-h2",
"PAN-OS 10.2.7-h1",
"PAN-OS 10.2.7",
"PAN-OS 10.2.6-h6",
"PAN-OS 10.2.6-h5",
"PAN-OS 10.2.6-h4",
"PAN-OS 10.2.6-h3",
"PAN-OS 10.2.6-h2",
"PAN-OS 10.2.6-h1",
"PAN-OS 10.2.6",
"PAN-OS 10.2.5-h9",
"PAN-OS 10.2.5-h8",
"PAN-OS 10.2.5-h7",
"PAN-OS 10.2.5-h6",
"PAN-OS 10.2.5-h5",
"PAN-OS 10.2.5-h4",
"PAN-OS 10.2.5-h3",
"PAN-OS 10.2.5-h2",
"PAN-OS 10.2.5-h1",
"PAN-OS 10.2.5",
"PAN-OS 10.2.4-h32",
"PAN-OS 10.2.4-h31",
"PAN-OS 10.2.4-h30",
"PAN-OS 10.2.4-h29",
"PAN-OS 10.2.4-h28",
"PAN-OS 10.2.4-h27",
"PAN-OS 10.2.4-h26",
"PAN-OS 10.2.4-h25",
"PAN-OS 10.2.4-h24",
"PAN-OS 10.2.4-h23",
"PAN-OS 10.2.4-h22",
"PAN-OS 10.2.4-h21",
"PAN-OS 10.2.4-h20",
"PAN-OS 10.2.4-h19",
"PAN-OS 10.2.4-h18",
"PAN-OS 10.2.4-h17",
"PAN-OS 10.2.4-h16",
"PAN-OS 10.2.4-h15",
"PAN-OS 10.2.4-h14",
"PAN-OS 10.2.4-h13",
"PAN-OS 10.2.4-h12",
"PAN-OS 10.2.4-h11",
"PAN-OS 10.2.4-h10",
"PAN-OS 10.2.4-h9",
"PAN-OS 10.2.4-h8",
"PAN-OS 10.2.4-h7",
"PAN-OS 10.2.4-h6",
"PAN-OS 10.2.4-h5",
"PAN-OS 10.2.4-h4",
"PAN-OS 10.2.4-h3",
"PAN-OS 10.2.4-h2",
"PAN-OS 10.2.4-h1",
"PAN-OS 10.2.4",
"PAN-OS 10.2.3-h14",
"PAN-OS 10.2.3-h13",
"PAN-OS 10.2.3-h12",
"PAN-OS 10.2.3-h11",
"PAN-OS 10.2.3-h10",
"PAN-OS 10.2.3-h9",
"PAN-OS 10.2.3-h8",
"PAN-OS 10.2.3-h7",
"PAN-OS 10.2.3-h6",
"PAN-OS 10.2.3-h5",
"PAN-OS 10.2.3-h4",
"PAN-OS 10.2.3-h3",
"PAN-OS 10.2.3-h2",
"PAN-OS 10.2.3-h1",
"PAN-OS 10.2.3",
"PAN-OS 10.2.2-h6",
"PAN-OS 10.2.2-h5",
"PAN-OS 10.2.2-h4",
"PAN-OS 10.2.2-h3",
"PAN-OS 10.2.2-h2",
"PAN-OS 10.2.2-h1",
"PAN-OS 10.2.2",
"PAN-OS 10.2.1-h3",
"PAN-OS 10.2.1-h2",
"PAN-OS 10.2.1-h1",
"PAN-OS 10.2.1",
"PAN-OS 10.2.0-h4",
"PAN-OS 10.2.0-h3",
"PAN-OS 10.2.0-h2",
"PAN-OS 10.2.0-h1",
"PAN-OS 10.2.0",
"PAN-OS 10.1.14-h19",
"PAN-OS 10.1.14-h16",
"PAN-OS 10.1.14-h15",
"PAN-OS 10.1.14-h14",
"PAN-OS 10.1.14-h13",
"PAN-OS 10.1.14-h11",
"PAN-OS 10.1.14-h10",
"PAN-OS 10.1.14-h9",
"PAN-OS 10.1.14-h8",
"PAN-OS 10.1.14-h7",
"PAN-OS 10.1.14-h6",
"PAN-OS 10.1.14-h5",
"PAN-OS 10.1.14-h4",
"PAN-OS 10.1.14-h3",
"PAN-OS 10.1.14-h2",
"PAN-OS 10.1.14-h1",
"PAN-OS 10.1.14",
"PAN-OS 10.1.13-h5",
"PAN-OS 10.1.13-h4",
"PAN-OS 10.1.13-h3",
"PAN-OS 10.1.13-h2",
"PAN-OS 10.1.13-h1",
"PAN-OS 10.1.13",
"PAN-OS 10.1.12-h3",
"PAN-OS 10.1.12-h2",
"PAN-OS 10.1.12-h1",
"PAN-OS 10.1.12",
"PAN-OS 10.1.11-h10",
"PAN-OS 10.1.11-h9",
"PAN-OS 10.1.11-h8",
"PAN-OS 10.1.11-h7",
"PAN-OS 10.1.11-h6",
"PAN-OS 10.1.11-h5",
"PAN-OS 10.1.11-h4",
"PAN-OS 10.1.11-h3",
"PAN-OS 10.1.11-h2",
"PAN-OS 10.1.11-h1",
"PAN-OS 10.1.11",
"PAN-OS 10.1.10-h9",
"PAN-OS 10.1.10-h8",
"PAN-OS 10.1.10-h7",
"PAN-OS 10.1.10-h6",
"PAN-OS 10.1.10-h5",
"PAN-OS 10.1.10-h4",
"PAN-OS 10.1.10-h3",
"PAN-OS 10.1.10-h2",
"PAN-OS 10.1.10-h1",
"PAN-OS 10.1.10",
"PAN-OS 10.1.9-h14",
"PAN-OS 10.1.9-h13",
"PAN-OS 10.1.9-h12",
"PAN-OS 10.1.9-h11",
"PAN-OS 10.1.9-h10",
"PAN-OS 10.1.9-h9",
"PAN-OS 10.1.9-h8",
"PAN-OS 10.1.9-h7",
"PAN-OS 10.1.9-h6",
"PAN-OS 10.1.9-h5",
"PAN-OS 10.1.9-h4",
"PAN-OS 10.1.9-h3",
"PAN-OS 10.1.9-h2",
"PAN-OS 10.1.9-h1",
"PAN-OS 10.1.9",
"PAN-OS 10.1.8-h8",
"PAN-OS 10.1.8-h7",
"PAN-OS 10.1.8-h6",
"PAN-OS 10.1.8-h5",
"PAN-OS 10.1.8-h4",
"PAN-OS 10.1.8-h3",
"PAN-OS 10.1.8-h2",
"PAN-OS 10.1.8-h1",
"PAN-OS 10.1.8",
"PAN-OS 10.1.7-h1",
"PAN-OS 10.1.7",
"PAN-OS 10.1.6-h9",
"PAN-OS 10.1.6-h8",
"PAN-OS 10.1.6-h7",
"PAN-OS 10.1.6-h6",
"PAN-OS 10.1.6-h5",
"PAN-OS 10.1.6-h4",
"PAN-OS 10.1.6-h3",
"PAN-OS 10.1.6-h2",
"PAN-OS 10.1.6-h1",
"PAN-OS 10.1.6",
"PAN-OS 10.1.5-h4",
"PAN-OS 10.1.5-h3",
"PAN-OS 10.1.5-h2",
"PAN-OS 10.1.5-h1",
"PAN-OS 10.1.5",
"PAN-OS 10.1.4-h6",
"PAN-OS 10.1.4-h5",
"PAN-OS 10.1.4-h4",
"PAN-OS 10.1.4-h3",
"PAN-OS 10.1.4-h2",
"PAN-OS 10.1.4-h1",
"PAN-OS 10.1.4",
"PAN-OS 10.1.3-h4",
"PAN-OS 10.1.3-h3",
"PAN-OS 10.1.3-h2",
"PAN-OS 10.1.3-h1",
"PAN-OS 10.1.3",
"PAN-OS 10.1.2",
"PAN-OS 10.1.1",
"PAN-OS 10.1.0"
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2026-0227",
"datePublished": "2026-01-15T18:45:08.579Z",
"dateReserved": "2025-11-03T20:43:48.418Z",
"dateUpdated": "2026-01-30T23:36:56.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3393 (GCVE-0-2024-3393)
Vulnerability from – Published: 2024-12-27 09:44 – Updated: 2025-10-21 22:55
VLAI
Title
PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet
Summary
A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
Severity
SSVC
Exploitation: active
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://security.paloaltonetworks.com/CVE-2024-3393 | vendor-advisory |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Palo Alto Networks | Cloud NGFW |
Unaffected:
All
|
|
| Palo Alto Networks | PAN-OS |
Affected:
11.2.0 , < 11.2.3
(custom)
Affected: 11.1.0 , < 11.1.2-h16 (custom) Affected: 10.2.8 , < 10.2.8-h19 (custom) Affected: 10.1.14 , < 10.1.14-h8 (custom) cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.2:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h9:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h11:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h10:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h9:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h15:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h14:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h13:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h12:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h11:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h10:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h9:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h10:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h9:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h18:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h17:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h16:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h15:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h14:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h13:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h12:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h11:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h18:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h17:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h16:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h15:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h14:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1:-:*:*:*:*:*:* |
|
| Palo Alto Networks | PAN-OS |
Unaffected:
10.2.0 , < 10.2.8
(custom)
Affected: 11.2.0 , < 11.2.3 (custom) |
Date Public
2024-12-27 02:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3393",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T15:55:30.369332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-12-30",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3393"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:33.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3393"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-30T00:00:00.000Z",
"value": "CVE-2024-3393 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
},
{
"cpes": [
"cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h15:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h14:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h18:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h17:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h16:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h15:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h14:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h18:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h17:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h16:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h15:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h14:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1:-:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "11.2.3",
"status": "unaffected"
}
],
"lessThan": "11.2.3",
"status": "affected",
"version": "11.2.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.1.2-h16",
"status": "unaffected"
},
{
"at": "11.1.3-h13",
"status": "unaffected"
},
{
"at": "11.1.4-h7",
"status": "unaffected"
},
{
"at": "11.1.5",
"status": "unaffected"
}
],
"lessThan": "11.1.2-h16",
"status": "affected",
"version": "11.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.2.8-h19",
"status": "unaffected"
},
{
"at": "10.2.9-h19",
"status": "unaffected"
},
{
"at": "10.2.10-h12",
"status": "unaffected"
},
{
"at": "10.2.11-h10",
"status": "unaffected"
},
{
"at": "10.2.12-h4",
"status": "unaffected"
},
{
"at": "10.2.13-h2",
"status": "unaffected"
},
{
"at": "10.2.14",
"status": "unaffected"
}
],
"lessThan": "10.2.8-h19",
"status": "affected",
"version": "10.2.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.14-h8",
"status": "unaffected"
},
{
"at": "10.1.15",
"status": "unaffected"
}
],
"lessThan": "10.1.14-h8",
"status": "affected",
"version": "10.1.14",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Prisma Access"
],
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "10.2.8",
"status": "affected"
},
{
"at": "10.2.9-h19",
"status": "unaffected"
},
{
"at": "10.2.10-h12",
"status": "unaffected"
}
],
"lessThan": "10.2.8",
"status": "unaffected",
"version": "10.2.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.2.3",
"status": "unaffected"
}
],
"lessThan": "11.2.3",
"status": "affected",
"version": "11.2.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eBoth of the following must be true for PAN-OS software to be affected:\u003cbr\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eEither a DNS Security License or an Advanced DNS Security License must be applied, AND\u003cbr\u003e\u003c/li\u003e\u003cli\u003eDNS Security logging must be enabled.\u003c/li\u003e\u003c/ol\u003e"
}
],
"value": "Both of the following must be true for PAN-OS software to be affected:\n\n\n * Either a DNS Security License or an Advanced DNS Security License must be applied, AND\n\n * DNS Security logging must be enabled."
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Palo Alto Networks thanks the CERT-EE team for their extra effort in providing invaluable forensic and analytic assistance."
}
],
"datePublic": "2024-12-27T02:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode."
}
],
"value": "A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is aware of customers experiencing this denial of service (DoS) when their firewall blocks malicious DNS packets that trigger this issue."
}
],
"value": "Palo Alto Networks is aware of customers experiencing this denial of service (DoS) when their firewall blocks malicious DNS packets that trigger this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-540",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-540 Overread Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:N/R:U/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "An attacker sends a malicious packet through the firewall, which processes a malicious packet that triggers this issue."
}
]
},
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:N/R:U/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Prisma Access, when only providing access to authenticated end users, processes a malicious packet that triggers this issue."
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-28T01:51:29.594Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2024-3393"
}
],
"solutions": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan\u003eThis issue is fixed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan\u003eNote: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so we do not intend to provide a fix for this release.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan\u003ePrisma Access customers using DNS Security with affected PAN-OS versions should apply one of the workarounds provided below. We will perform upgrades in two phases for impacted customers on the weekends of January 3rd and January 10th. You can request an expedited Prisma Access upgrade to the latest PAN-OS version by opening a \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.paloaltonetworks.com/Support/Index\"\u003e\u003cspan\u003esupport case\u003c/span\u003e\u003c/a\u003e\u003cspan\u003e.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan\u003e\u003cspan\u003eIn addition, to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.\u003c/span\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u200b\u200bAdditional PAN-OS 11.1 fixes:\u003c/p\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e11.1.2-h16\u003c/li\u003e\u003cli\u003e11.1.3-h13\u003c/li\u003e\u003cli\u003e11.1.4-h7\u003c/li\u003e\u003cli\u003e11.1.5\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e\u003cdiv\u003eAdditional PAN-OS 10.2 fixes:\u003c/div\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e10.2.8-h19\u003c/li\u003e\u003cli\u003e10.2.9-h19\u003c/li\u003e\u003cli\u003e10.2.10-h12\u003c/li\u003e\u003cli\u003e10.2.11-h10\u003c/li\u003e\u003cli\u003e10.2.12-h4\u003c/li\u003e\u003cli\u003e10.2.13-h2\u003c/li\u003e\u003cli\u003e10.2.14\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e\u003cdiv\u003eAdditional PAN-OS 10.1 fixes:\u003c/div\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e10.1.14-h8\u003c/li\u003e\u003cli\u003e10.1.15\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e\u003cdiv\u003eAdditional PAN-OS fixes only applicable to Prisma Access:\u003c/div\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e10.2.9-h19\u003c/li\u003e\u003cli\u003e10.2.10-h12\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
}
],
"value": "This issue is fixed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions.\n\nNote: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so we do not intend to provide a fix for this release.\n\nPrisma Access customers using DNS Security with affected PAN-OS versions should apply one of the workarounds provided below. We will perform upgrades in two phases for impacted customers on the weekends of January 3rd and January 10th. You can request an expedited Prisma Access upgrade to the latest PAN-OS version by opening a support case https://support.paloaltonetworks.com/Support/Index .\n\nIn addition, to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.\n\n\u200b\u200bAdditional PAN-OS 11.1 fixes:\n\n * 11.1.2-h16\n * 11.1.3-h13\n * 11.1.4-h7\n * 11.1.5\n\n\n\n\nAdditional PAN-OS 10.2 fixes:\n\n * 10.2.8-h19\n * 10.2.9-h19\n * 10.2.10-h12\n * 10.2.11-h10\n * 10.2.12-h4\n * 10.2.13-h2\n * 10.2.14\n\n\n\n\nAdditional PAN-OS 10.1 fixes:\n\n * 10.1.14-h8\n * 10.1.15\n\n\n\n\nAdditional PAN-OS fixes only applicable to Prisma Access:\n\n * 10.2.9-h19\n * 10.2.10-h12"
}
],
"source": {
"defect": [
"PAN-259351",
"PAN-219034"
],
"discovery": "USER"
},
"timeline": [
{
"lang": "en",
"time": "2024-12-27T02:30:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "If your firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and you cannot immediately apply a fix, apply a workaround below based on your deployment.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eUnmanaged NGFWs, NGFW managed by Panorama, or Prisma Access managed by Panorama\u003c/b\u003e\u003cb\u003e\u003cbr\u003e\u003c/b\u003e\u003col\u003e\u003cli\u003eFor each Anti-spyware profile, navigate to Objects \u2192 Security Profiles \u2192 Anti-spyware \u2192 (select a profile) \u2192 DNS Policies \u2192 DNS Security.\u003c/li\u003e\u003cli\u003eChange the Log Severity to \"none\" for all configured DNS Security categories.\u003cbr\u003e\u003c/li\u003e\u003cli\u003eCommit the changes.\u003cbr\u003e\u003c/li\u003e\u003c/ol\u003eRemember to revert the Log Severity settings once the fixes are applied.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eNGFW managed by Strata Cloud Manager (SCM)\u003c/b\u003e\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003e\u003cdiv\u003eYou can choose one of the following mitigation options:\u003c/div\u003e\u003cdiv\u003e\u003col\u003e\u003cli\u003eOption 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above.\u003c/li\u003e\u003cli\u003eOption 2: Disable DNS Security logging across all NGFWs in your tenant by opening a \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.paloaltonetworks.com/Support/Index\"\u003esupport case\u003c/a\u003e.\u003c/li\u003e\u003c/ol\u003e\u003c/div\u003e\u003cb\u003e\u003cp\u003ePrisma Access managed by Strata Cloud Manager (SCM)\u003c/p\u003e\u003c/b\u003e\u003c/div\u003e\u003cp\u003eUntil we perform an upgrade of your Prisma Access tenant, you can disable DNS Security logging across all NGFWs in your tenant by opening a \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.paloaltonetworks.com/Support/Index\"\u003esupport case\u003c/a\u003e. If you would like to expedite the upgrade, please make a note of that in the support case.\u003c/p\u003e\u003cb\u003e\u003c/b\u003e"
}
],
"value": "If your firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and you cannot immediately apply a fix, apply a workaround below based on your deployment.\n\nUnmanaged NGFWs, NGFW managed by Panorama, or Prisma Access managed by Panorama\n * For each Anti-spyware profile, navigate to Objects \u2192 Security Profiles \u2192 Anti-spyware \u2192 (select a profile) \u2192 DNS Policies \u2192 DNS Security.\n * Change the Log Severity to \"none\" for all configured DNS Security categories.\n\n * Commit the changes.\n\nRemember to revert the Log Severity settings once the fixes are applied.\n\nNGFW managed by Strata Cloud Manager (SCM)\n\nYou can choose one of the following mitigation options:\n\n * Option 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above.\n * Option 2: Disable DNS Security logging across all NGFWs in your tenant by opening a support case https://support.paloaltonetworks.com/Support/Index .\n\n\nPrisma Access managed by Strata Cloud Manager (SCM)\n\n\n\nUntil we perform an upgrade of your Prisma Access tenant, you can disable DNS Security logging across all NGFWs in your tenant by opening a support case https://support.paloaltonetworks.com/Support/Index . If you would like to expedite the upgrade, please make a note of that in the support case."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2024-3393",
"datePublished": "2024-12-27T09:44:24.538Z",
"dateReserved": "2024-04-05T17:40:24.596Z",
"dateUpdated": "2025-10-21T22:55:33.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0011 (GCVE-0-2022-0011)
Vulnerability from – Published: 2022-02-10 18:10 – Updated: 2024-09-16 23:51
VLAI
Title
PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering
Summary
PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category. This is done by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile. When the entries in these lists have a hostname pattern that does not end with a forward slash (/) or a hostname pattern that ends with an asterisk (*), any URL that starts with the specified pattern is considered a match. Entries with a caret (^) at the end of a hostname pattern match any top level domain. This may inadvertently allow or block more URLs than intended and allowing more URLs than intended represents a security risk. For example: example.com will match example.com.website.test example.com.* will match example.com.website.test example.com.^ will match example.com.test You should take special care when using such entries in policy rules that allow traffic. Where possible, use the exact list of hostname names ending with a forward slash (/) instead of using wildcards. PAN-OS 10.1 versions earlier than PAN-OS 10.1.3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 9.1 versions earlier than PAN-OS 9.1.12; all PAN-OS 9.0 versions; PAN-OS 8.1 versions earlier than PAN-OS 8.1.21, and Prisma Access 2.2 and 2.1 versions do not allow customers to change this behavior without changing the URL category list or EDL.
Severity
6.5 (Medium)
CWE
- CWE-436 - Interpretation Conflict
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.paloaltonetworks.com/CVE-2022-0011 | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Affected:
9.0.*
Affected: 8.1 , < 8.1.21 (custom) Affected: 9.1 , < 9.1.12 (custom) Affected: 10.0 , < 10.0.8 (custom) Affected: 10.1 , < 10.1.3 (custom) |
|
| Palo Alto Networks | Prisma Access |
Unaffected:
3.0 Preferred, Innovation
Affected: 2.2 Preferred Affected: 2.1 Preferred, Innovation |
Date Public
2022-02-09 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2022-0011"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "affected",
"version": "9.0.*"
},
{
"changes": [
{
"at": "8.1.21",
"status": "unaffected"
}
],
"lessThan": "8.1.21",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.12",
"status": "unaffected"
}
],
"lessThan": "9.1.12",
"status": "affected",
"version": "9.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.8",
"status": "unaffected"
}
],
"lessThan": "10.0.8",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.3",
"status": "unaffected"
}
],
"lessThan": "10.1.3",
"status": "affected",
"version": "10.1",
"versionType": "custom"
}
]
},
{
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "3.0 Preferred, Innovation"
},
{
"status": "affected",
"version": "2.2 Preferred"
},
{
"status": "affected",
"version": "2.1 Preferred, Innovation"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "This issue is applicable only when you configure exceptions to URL filtering either by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile as per https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/block-and-allow-lists.html."
}
],
"credits": [
{
"lang": "en",
"value": "Palo Alto Networks thanks Chris Johnston of PricewaterhouseCoopers for discovering and reporting this issue."
}
],
"datePublic": "2022-02-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category. This is done by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile. When the entries in these lists have a hostname pattern that does not end with a forward slash (/) or a hostname pattern that ends with an asterisk (*), any URL that starts with the specified pattern is considered a match. Entries with a caret (^) at the end of a hostname pattern match any top level domain. This may inadvertently allow or block more URLs than intended and allowing more URLs than intended represents a security risk. For example: example.com will match example.com.website.test example.com.* will match example.com.website.test example.com.^ will match example.com.test You should take special care when using such entries in policy rules that allow traffic. Where possible, use the exact list of hostname names ending with a forward slash (/) instead of using wildcards. PAN-OS 10.1 versions earlier than PAN-OS 10.1.3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 9.1 versions earlier than PAN-OS 9.1.12; all PAN-OS 9.0 versions; PAN-OS 8.1 versions earlier than PAN-OS 8.1.21, and Prisma Access 2.2 and 2.1 versions do not allow customers to change this behavior without changing the URL category list or EDL."
}
],
"exploits": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436 Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-10T18:10:15.000Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.paloaltonetworks.com/CVE-2022-0011"
}
],
"solutions": [
{
"lang": "en",
"value": "PAN-OS 8.1.21, PAN-OS 9.1.12, PAN-OS 10.0.8, PAN-OS 10.1.3, Prisma Access 3.0 Preferred, and Prisma Access 3.0 Innovation all include a customer configurable option to automatically append a forward slash at the end of the hostname pattern for entries without an ending token in a custom URL category list or in an external dynamic list (EDL).\n\nPrisma Access customers should refer to \u201cSTEP 7\u201d in the following Prisma Access 3.0 documentation to enable this feature:\n\nhttps://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/prisma-access-service-infrastructure/enable-the-service-infrastructure.html\n\nFor other PAN-OS appliances, this option is enabled by running these CLI commands:\n debug device-server append-end-token on\n commit force\n\nNote: This option is disabled by default on PAN-OS 8.1, PAN-OS 9.1, PAN-OS 10.0, and PAN-OS 10.1. This option will be enabled by default starting with the next major version of PAN-OS. This option is not available on PAN-OS 9.0. Customers with PAN-OS 9.0 are advised to apply workarounds or upgrade to PAN-OS 9.1 or a later version.\n\nAdditionally, customers must evaluate their custom URL category list or their external dynamic list (EDL) and any firewall policy rules that depend on them to determine whether this option provides the desired policy rule enforcement.\n\nExample 1: If the firewall policy rule is intended to allow only \u0027www.example.com\u0027 and not to allow access to any other site, such as www.example.com.webiste.test, then use the \"debug device-server append-end-token on\" CLI command.\n\nExample 2: If the firewall policy rule is set to block access to \u0027www.example.co\u0027 and block access to sites such as www.example.com, www.example.co.az, then keep the default setting (\"debug device-server append-end-token off\" CLI command). You should always use the most appropriate token if you need to match multiple hostnames in a policy rule."
}
],
"source": {
"defect": [
"PAN-174443"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2022-02-09T00:00:00.000Z",
"value": "initial publication"
}
],
"title": "PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering",
"workarounds": [
{
"lang": "en",
"value": "Add a forward slash (/) at the end of the hostname pattern for all entries in the custom URL category list or the external dynamic list (EDL).\n\nFor example:\n example.com/ will not match example.com.website.test"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2022-02-09T17:00:00.000Z",
"ID": "CVE-2022-0011",
"STATE": "PUBLIC",
"TITLE": "PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.21"
},
{
"version_affected": "\u003c",
"version_name": "9.1",
"version_value": "9.1.12"
},
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "!\u003e=",
"version_name": "8.1",
"version_value": "8.1.21"
},
{
"version_affected": "!\u003e=",
"version_name": "9.1",
"version_value": "9.1.12"
},
{
"version_affected": "!\u003e=",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "=",
"version_name": "9.0",
"version_value": "9.0.*"
},
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "!\u003e=",
"version_name": "10.1",
"version_value": "10.1.3"
}
]
}
},
{
"product_name": "Prisma Access",
"version": {
"version_data": [
{
"version_affected": "!",
"version_name": "3.0",
"version_value": "Preferred, Innovation"
},
{
"version_affected": "=",
"version_name": "2.2",
"version_value": "Preferred"
},
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "Preferred, Innovation"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "This issue is applicable only when you configure exceptions to URL filtering either by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile as per https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/block-and-allow-lists.html."
}
],
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks Chris Johnston of PricewaterhouseCoopers for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category. This is done by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile. When the entries in these lists have a hostname pattern that does not end with a forward slash (/) or a hostname pattern that ends with an asterisk (*), any URL that starts with the specified pattern is considered a match. Entries with a caret (^) at the end of a hostname pattern match any top level domain. This may inadvertently allow or block more URLs than intended and allowing more URLs than intended represents a security risk. For example: example.com will match example.com.website.test example.com.* will match example.com.website.test example.com.^ will match example.com.test You should take special care when using such entries in policy rules that allow traffic. Where possible, use the exact list of hostname names ending with a forward slash (/) instead of using wildcards. PAN-OS 10.1 versions earlier than PAN-OS 10.1.3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 9.1 versions earlier than PAN-OS 9.1.12; all PAN-OS 9.0 versions; PAN-OS 8.1 versions earlier than PAN-OS 8.1.21, and Prisma Access 2.2 and 2.1 versions do not allow customers to change this behavior without changing the URL category list or EDL."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-436 Interpretation Conflict"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.paloaltonetworks.com/CVE-2022-0011",
"refsource": "MISC",
"url": "https://security.paloaltonetworks.com/CVE-2022-0011"
}
]
},
"solution": [
{
"lang": "en",
"value": "PAN-OS 8.1.21, PAN-OS 9.1.12, PAN-OS 10.0.8, PAN-OS 10.1.3, Prisma Access 3.0 Preferred, and Prisma Access 3.0 Innovation all include a customer configurable option to automatically append a forward slash at the end of the hostname pattern for entries without an ending token in a custom URL category list or in an external dynamic list (EDL).\n\nPrisma Access customers should refer to \u201cSTEP 7\u201d in the following Prisma Access 3.0 documentation to enable this feature:\n\nhttps://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/prisma-access-service-infrastructure/enable-the-service-infrastructure.html\n\nFor other PAN-OS appliances, this option is enabled by running these CLI commands:\n debug device-server append-end-token on\n commit force\n\nNote: This option is disabled by default on PAN-OS 8.1, PAN-OS 9.1, PAN-OS 10.0, and PAN-OS 10.1. This option will be enabled by default starting with the next major version of PAN-OS. This option is not available on PAN-OS 9.0. Customers with PAN-OS 9.0 are advised to apply workarounds or upgrade to PAN-OS 9.1 or a later version.\n\nAdditionally, customers must evaluate their custom URL category list or their external dynamic list (EDL) and any firewall policy rules that depend on them to determine whether this option provides the desired policy rule enforcement.\n\nExample 1: If the firewall policy rule is intended to allow only \u0027www.example.com\u0027 and not to allow access to any other site, such as www.example.com.webiste.test, then use the \"debug device-server append-end-token on\" CLI command.\n\nExample 2: If the firewall policy rule is set to block access to \u0027www.example.co\u0027 and block access to sites such as www.example.com, www.example.co.az, then keep the default setting (\"debug device-server append-end-token off\" CLI command). You should always use the most appropriate token if you need to match multiple hostnames in a policy rule."
}
],
"source": {
"defect": [
"PAN-174443"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2022-02-09T00:00:00.000Z",
"value": "initial publication"
}
],
"work_around": [
{
"lang": "en",
"value": "Add a forward slash (/) at the end of the hostname pattern for all entries in the custom URL category list or the external dynamic list (EDL).\n\nFor example:\n example.com/ will not match example.com.website.test"
}
],
"x_advisoryEoL": false,
"x_affectedList": [
"Prisma Access 2.2",
"Prisma Access 2.1",
"PAN-OS 10.1.2",
"PAN-OS 10.1.1",
"PAN-OS 10.1.0",
"PAN-OS 10.1",
"PAN-OS 10.0.7",
"PAN-OS 10.0.6",
"PAN-OS 10.0.5",
"PAN-OS 10.0.4",
"PAN-OS 10.0.3",
"PAN-OS 10.0.2",
"PAN-OS 10.0.1",
"PAN-OS 10.0.0",
"PAN-OS 10.0",
"PAN-OS 9.1.11-h3",
"PAN-OS 9.1.11-h2",
"PAN-OS 9.1.11-h1",
"PAN-OS 9.1.11",
"PAN-OS 9.1.10",
"PAN-OS 9.1.9",
"PAN-OS 9.1.8",
"PAN-OS 9.1.7",
"PAN-OS 9.1.6",
"PAN-OS 9.1.5",
"PAN-OS 9.1.4",
"PAN-OS 9.1.3-h1",
"PAN-OS 9.1.3",
"PAN-OS 9.1.2-h1",
"PAN-OS 9.1.2",
"PAN-OS 9.1.1",
"PAN-OS 9.1.0-h3",
"PAN-OS 9.1.0-h2",
"PAN-OS 9.1.0-h1",
"PAN-OS 9.1.0",
"PAN-OS 9.1",
"PAN-OS 9.0.15",
"PAN-OS 9.0.14-h4",
"PAN-OS 9.0.14-h3",
"PAN-OS 9.0.14-h2",
"PAN-OS 9.0.14-h1",
"PAN-OS 9.0.14",
"PAN-OS 9.0.13",
"PAN-OS 9.0.12",
"PAN-OS 9.0.11",
"PAN-OS 9.0.10",
"PAN-OS 9.0.9-h1",
"PAN-OS 9.0.9",
"PAN-OS 9.0.8",
"PAN-OS 9.0.7",
"PAN-OS 9.0.6",
"PAN-OS 9.0.5",
"PAN-OS 9.0.4",
"PAN-OS 9.0.3-h3",
"PAN-OS 9.0.3-h2",
"PAN-OS 9.0.3-h1",
"PAN-OS 9.0.3",
"PAN-OS 9.0.2-h4",
"PAN-OS 9.0.2-h3",
"PAN-OS 9.0.2-h2",
"PAN-OS 9.0.2-h1",
"PAN-OS 9.0.2",
"PAN-OS 9.0.1",
"PAN-OS 9.0.0",
"PAN-OS 9.0",
"PAN-OS 8.1.20-h1",
"PAN-OS 8.1.20",
"PAN-OS 8.1.19",
"PAN-OS 8.1.18",
"PAN-OS 8.1.17",
"PAN-OS 8.1.16",
"PAN-OS 8.1.15-h3",
"PAN-OS 8.1.15-h2",
"PAN-OS 8.1.15-h1",
"PAN-OS 8.1.15",
"PAN-OS 8.1.14-h2",
"PAN-OS 8.1.14-h1",
"PAN-OS 8.1.14",
"PAN-OS 8.1.13",
"PAN-OS 8.1.12",
"PAN-OS 8.1.11",
"PAN-OS 8.1.10",
"PAN-OS 8.1.9-h4",
"PAN-OS 8.1.9-h3",
"PAN-OS 8.1.9-h2",
"PAN-OS 8.1.9-h1",
"PAN-OS 8.1.9",
"PAN-OS 8.1.8-h5",
"PAN-OS 8.1.8-h4",
"PAN-OS 8.1.8-h3",
"PAN-OS 8.1.8-h2",
"PAN-OS 8.1.8-h1",
"PAN-OS 8.1.8",
"PAN-OS 8.1.7",
"PAN-OS 8.1.6-h2",
"PAN-OS 8.1.6-h1",
"PAN-OS 8.1.6",
"PAN-OS 8.1.5",
"PAN-OS 8.1.4",
"PAN-OS 8.1.3",
"PAN-OS 8.1.2",
"PAN-OS 8.1.1",
"PAN-OS 8.1.0",
"PAN-OS 8.1"
],
"x_likelyAffectedList": [
"PAN-OS 8.0.20",
"PAN-OS 8.0.19-h1",
"PAN-OS 8.0.19",
"PAN-OS 8.0.18",
"PAN-OS 8.0.17",
"PAN-OS 8.0.16",
"PAN-OS 8.0.15",
"PAN-OS 8.0.14",
"PAN-OS 8.0.13",
"PAN-OS 8.0.12",
"PAN-OS 8.0.11-h1",
"PAN-OS 8.0.10",
"PAN-OS 8.0.9",
"PAN-OS 8.0.8",
"PAN-OS 8.0.7",
"PAN-OS 8.0.6-h3",
"PAN-OS 8.0.6-h2",
"PAN-OS 8.0.6-h1",
"PAN-OS 8.0.6",
"PAN-OS 8.0.5",
"PAN-OS 8.0.4",
"PAN-OS 8.0.3-h4",
"PAN-OS 8.0.3-h3",
"PAN-OS 8.0.3-h2",
"PAN-OS 8.0.3-h1",
"PAN-OS 8.0.3",
"PAN-OS 8.0.2",
"PAN-OS 8.0.1",
"PAN-OS 8.0.0",
"PAN-OS 8.0",
"PAN-OS 7.1.26",
"PAN-OS 7.1.25",
"PAN-OS 7.1.24-h1",
"PAN-OS 7.1.24",
"PAN-OS 7.1.23",
"PAN-OS 7.1.22",
"PAN-OS 7.1.21",
"PAN-OS 7.1.20",
"PAN-OS 7.1.19",
"PAN-OS 7.1.18",
"PAN-OS 7.1.17",
"PAN-OS 7.1.16",
"PAN-OS 7.1.15",
"PAN-OS 7.1.14",
"PAN-OS 7.1.13",
"PAN-OS 7.1.12",
"PAN-OS 7.1.11",
"PAN-OS 7.1.10",
"PAN-OS 7.1.9-h4",
"PAN-OS 7.1.9-h3",
"PAN-OS 7.1.9-h2",
"PAN-OS 7.1.9-h1",
"PAN-OS 7.1.9",
"PAN-OS 7.1.8",
"PAN-OS 7.1.7",
"PAN-OS 7.1.6",
"PAN-OS 7.1.5",
"PAN-OS 7.1.4-h2",
"PAN-OS 7.1.4-h1",
"PAN-OS 7.1.4",
"PAN-OS 7.1.3",
"PAN-OS 7.1.2",
"PAN-OS 7.1.1",
"PAN-OS 7.1.0",
"PAN-OS 7.1"
]
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2022-0011",
"datePublished": "2022-02-10T18:10:15.524Z",
"dateReserved": "2021-12-28T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:51:26.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3060 (GCVE-0-2021-3060)
Vulnerability from – Published: 2021-11-10 17:10 – Updated: 2024-09-16 18:56
VLAI
Title
PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP)
Summary
An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue.
Severity
8.1 (High)
CWE
- CWE-78 - OS Command Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://security.paloaltonetworks.com/CVE-2021-3060 | x_refsource_MISC |
| https://docs.paloaltonetworks.com/pan-os/10-0/pan… | x_refsource_MISC |
| https://docs.paloaltonetworks.com/prisma/prisma-a… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Affected:
8.1 , < 8.1.20-h1
(custom)
Affected: 9.0 , < 9.0.14-h3 (custom) Affected: 9.1 , < 9.1.11-h2 (custom) Affected: 10.0 , < 10.0.8 (custom) Affected: 10.1 , < 10.1.3 (custom) |
|
| Palo Alto Networks | Prisma Access |
Affected:
2.1 Preferred
Affected: 2.1 Innovation Unaffected: all , < 2.2* (custom) |
Date Public
2021-11-10 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3060"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "8.1.20-h1",
"status": "unaffected"
}
],
"lessThan": "8.1.20-h1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.0.14-h3",
"status": "unaffected"
}
],
"lessThan": "9.0.14-h3",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.11-h2",
"status": "unaffected"
}
],
"lessThan": "9.1.11-h2",
"status": "affected",
"version": "9.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.8",
"status": "unaffected"
}
],
"lessThan": "10.0.8",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.3",
"status": "unaffected"
}
],
"lessThan": "10.1.3",
"status": "affected",
"version": "10.1",
"versionType": "custom"
}
]
},
{
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "affected",
"version": "2.1 Preferred"
},
{
"status": "affected",
"version": "2.1 Innovation"
},
{
"lessThan": "2.2*",
"status": "unaffected",
"version": "all",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "This issue is applicable only to GlobalProtect portal and gateway configurations that are configured with a SCEP profile and when the default master key was not changed.\n\nYou can determine if your configuration has a SCEP profile by selecting \u0027Device \u003e Certificate Management \u003e SCEP\u0027 from the web interface.\n\nNote: The SCEP profile does not need to be enabled for the firewall to be at risk; it need only exist in the configuration to be a risk even if disabled.\n\nYou know you are using the default master key when the master key was not explicitly configured on the firewall. Review the master key configuration by selecting \u0027Device \u003e Master Key and Diagnostics\u0027 from the web interface and change the key if needed."
}
],
"credits": [
{
"lang": "en",
"value": "Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue."
}
],
"datePublic": "2021-11-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue."
}
],
"exploits": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue at time of publication. However, we expect exploits for this issue to become publicly available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-10T17:10:24.000Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3060"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions."
},
{
"lang": "en",
"value": "This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions."
}
],
"source": {
"defect": [
"PAN-176661"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP)",
"workarounds": [
{
"lang": "en",
"value": "Changing the master key for the firewall prevents exploitation of this vulnerability. This is a security best practice for both PAN-OS and Prisma Access customers.\n\nDocumentation for configuring the master key is available at: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html. Please note the special requirements for high-availability (HA) and Panorama-managed environments.\n\nAdditional information is available for Prisma Access customers at: https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html.\n\nRemove all configured SCEP profiles from the firewall to completely eliminate any risk of exploitation related to this issue. You can view any existing SCEP profiles configured on the firewall by selecting \u0027Device \u003e Certificate Management \u003e SCEP\u0027 from the web interface.\n\nThis issue requires the attacker to have network access to the GlobalProtect interface.\n\nIn addition to these workarounds, you should enable signatures for Unique Threat ID 91526 on traffic destined for GlobalProtect interfaces to further mitigate the risk of attacks against CVE-2021-3060. SSL decryption is not necessary to detect attacks against this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2021-11-10T17:00:00.000Z",
"ID": "CVE-2021-3060",
"STATE": "PUBLIC",
"TITLE": "PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.20-h1"
},
{
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.14-h3"
},
{
"version_affected": "\u003c",
"version_name": "9.1",
"version_value": "9.1.11-h2"
},
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "!\u003e=",
"version_name": "8.1",
"version_value": "8.1.20-h1"
},
{
"version_affected": "!\u003e=",
"version_name": "9.0",
"version_value": "9.0.14-h3"
},
{
"version_affected": "!\u003e=",
"version_name": "9.1",
"version_value": "9.1.11-h2"
},
{
"version_affected": "!\u003e=",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "!\u003e=",
"version_name": "10.1",
"version_value": "10.1.3"
}
]
}
},
{
"product_name": "Prisma Access",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "Preferred"
},
{
"version_affected": "!\u003e=",
"version_name": "2.2",
"version_value": "all"
},
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "Innovation"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "This issue is applicable only to GlobalProtect portal and gateway configurations that are configured with a SCEP profile and when the default master key was not changed.\n\nYou can determine if your configuration has a SCEP profile by selecting \u0027Device \u003e Certificate Management \u003e SCEP\u0027 from the web interface.\n\nNote: The SCEP profile does not need to be enabled for the firewall to be at risk; it need only exist in the configuration to be a risk even if disabled.\n\nYou know you are using the default master key when the master key was not explicitly configured on the firewall. Review the master key configuration by selecting \u0027Device \u003e Master Key and Diagnostics\u0027 from the web interface and change the key if needed."
}
],
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue at time of publication. However, we expect exploits for this issue to become publicly available."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.paloaltonetworks.com/CVE-2021-3060",
"refsource": "MISC",
"url": "https://security.paloaltonetworks.com/CVE-2021-3060"
},
{
"name": "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html",
"refsource": "MISC",
"url": "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html"
},
{
"name": "https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html",
"refsource": "MISC",
"url": "https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions."
},
{
"lang": "en",
"value": "This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions."
}
],
"source": {
"defect": [
"PAN-176661"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "en",
"value": "Changing the master key for the firewall prevents exploitation of this vulnerability. This is a security best practice for both PAN-OS and Prisma Access customers.\n\nDocumentation for configuring the master key is available at: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html. Please note the special requirements for high-availability (HA) and Panorama-managed environments.\n\nAdditional information is available for Prisma Access customers at: https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html.\n\nRemove all configured SCEP profiles from the firewall to completely eliminate any risk of exploitation related to this issue. You can view any existing SCEP profiles configured on the firewall by selecting \u0027Device \u003e Certificate Management \u003e SCEP\u0027 from the web interface.\n\nThis issue requires the attacker to have network access to the GlobalProtect interface.\n\nIn addition to these workarounds, you should enable signatures for Unique Threat ID 91526 on traffic destined for GlobalProtect interfaces to further mitigate the risk of attacks against CVE-2021-3060. SSL decryption is not necessary to detect attacks against this issue."
}
],
"x_advisoryEoL": false,
"x_affectedList": [
"Prisma Access 2.1",
"PAN-OS 10.1.2",
"PAN-OS 10.1.1",
"PAN-OS 10.1.0",
"PAN-OS 10.1",
"PAN-OS 10.0.7",
"PAN-OS 10.0.6",
"PAN-OS 10.0.5",
"PAN-OS 10.0.4",
"PAN-OS 10.0.3",
"PAN-OS 10.0.2",
"PAN-OS 10.0.1",
"PAN-OS 10.0.0",
"PAN-OS 10.0",
"PAN-OS 9.1.11-h1",
"PAN-OS 9.1.11",
"PAN-OS 9.1.10",
"PAN-OS 9.1.9",
"PAN-OS 9.1.8",
"PAN-OS 9.1.7",
"PAN-OS 9.1.6",
"PAN-OS 9.1.5",
"PAN-OS 9.1.4",
"PAN-OS 9.1.3-h1",
"PAN-OS 9.1.3",
"PAN-OS 9.1.2-h1",
"PAN-OS 9.1.2",
"PAN-OS 9.1.1",
"PAN-OS 9.1.0-h3",
"PAN-OS 9.1.0-h2",
"PAN-OS 9.1.0-h1",
"PAN-OS 9.1.0",
"PAN-OS 9.1",
"PAN-OS 9.0.14-h2",
"PAN-OS 9.0.14-h1",
"PAN-OS 9.0.14",
"PAN-OS 9.0.13",
"PAN-OS 9.0.12",
"PAN-OS 9.0.11",
"PAN-OS 9.0.10",
"PAN-OS 9.0.9-h1",
"PAN-OS 9.0.9",
"PAN-OS 9.0.8",
"PAN-OS 9.0.7",
"PAN-OS 9.0.6",
"PAN-OS 9.0.5",
"PAN-OS 9.0.4",
"PAN-OS 9.0.3-h3",
"PAN-OS 9.0.3-h2",
"PAN-OS 9.0.3-h1",
"PAN-OS 9.0.3",
"PAN-OS 9.0.2-h4",
"PAN-OS 9.0.2-h3",
"PAN-OS 9.0.2-h2",
"PAN-OS 9.0.2-h1",
"PAN-OS 9.0.2",
"PAN-OS 9.0.1",
"PAN-OS 9.0.0",
"PAN-OS 9.0",
"PAN-OS 8.1.20",
"PAN-OS 8.1.19",
"PAN-OS 8.1.18",
"PAN-OS 8.1.17",
"PAN-OS 8.1.16",
"PAN-OS 8.1.15-h3",
"PAN-OS 8.1.15-h2",
"PAN-OS 8.1.15-h1",
"PAN-OS 8.1.15",
"PAN-OS 8.1.14-h2",
"PAN-OS 8.1.14-h1",
"PAN-OS 8.1.14",
"PAN-OS 8.1.13",
"PAN-OS 8.1.12",
"PAN-OS 8.1.11",
"PAN-OS 8.1.10",
"PAN-OS 8.1.9-h4",
"PAN-OS 8.1.9-h3",
"PAN-OS 8.1.9-h2",
"PAN-OS 8.1.9-h1",
"PAN-OS 8.1.9",
"PAN-OS 8.1.8-h5",
"PAN-OS 8.1.8-h4",
"PAN-OS 8.1.8-h3",
"PAN-OS 8.1.8-h2",
"PAN-OS 8.1.8-h1",
"PAN-OS 8.1.8",
"PAN-OS 8.1.7",
"PAN-OS 8.1.6-h2",
"PAN-OS 8.1.6-h1",
"PAN-OS 8.1.6",
"PAN-OS 8.1.5",
"PAN-OS 8.1.4",
"PAN-OS 8.1.3",
"PAN-OS 8.1.2",
"PAN-OS 8.1.1",
"PAN-OS 8.1.0",
"PAN-OS 8.1"
],
"x_likelyAffectedList": [
"PAN-OS 8.0.20",
"PAN-OS 8.0.19-h1",
"PAN-OS 8.0.19",
"PAN-OS 8.0.18",
"PAN-OS 8.0.17",
"PAN-OS 8.0.16",
"PAN-OS 8.0.15",
"PAN-OS 8.0.14",
"PAN-OS 8.0.13",
"PAN-OS 8.0.12",
"PAN-OS 8.0.11-h1",
"PAN-OS 8.0.10",
"PAN-OS 8.0.9",
"PAN-OS 8.0.8",
"PAN-OS 8.0.7",
"PAN-OS 8.0.6-h3",
"PAN-OS 8.0.6-h2",
"PAN-OS 8.0.6-h1",
"PAN-OS 8.0.6",
"PAN-OS 8.0.5",
"PAN-OS 8.0.4",
"PAN-OS 8.0.3-h4",
"PAN-OS 8.0.3-h3",
"PAN-OS 8.0.3-h2",
"PAN-OS 8.0.3-h1",
"PAN-OS 8.0.3",
"PAN-OS 8.0.2",
"PAN-OS 8.0.1",
"PAN-OS 8.0.0",
"PAN-OS 8.0",
"PAN-OS 7.1.26",
"PAN-OS 7.1.25",
"PAN-OS 7.1.24-h1",
"PAN-OS 7.1.24",
"PAN-OS 7.1.23",
"PAN-OS 7.1.22",
"PAN-OS 7.1.21",
"PAN-OS 7.1.20",
"PAN-OS 7.1.19",
"PAN-OS 7.1.18",
"PAN-OS 7.1.17",
"PAN-OS 7.1.16",
"PAN-OS 7.1.15",
"PAN-OS 7.1.14",
"PAN-OS 7.1.13",
"PAN-OS 7.1.12",
"PAN-OS 7.1.11",
"PAN-OS 7.1.10",
"PAN-OS 7.1.9-h4",
"PAN-OS 7.1.9-h3",
"PAN-OS 7.1.9-h2",
"PAN-OS 7.1.9-h1",
"PAN-OS 7.1.9",
"PAN-OS 7.1.8",
"PAN-OS 7.1.7",
"PAN-OS 7.1.6",
"PAN-OS 7.1.5",
"PAN-OS 7.1.4-h2",
"PAN-OS 7.1.4-h1",
"PAN-OS 7.1.4",
"PAN-OS 7.1.3",
"PAN-OS 7.1.2",
"PAN-OS 7.1.1",
"PAN-OS 7.1.0",
"PAN-OS 7.1"
]
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2021-3060",
"datePublished": "2021-11-10T17:10:24.593Z",
"dateReserved": "2021-01-06T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:56:09.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3061 (GCVE-0-2021-3061)
Vulnerability from – Published: 2021-11-10 17:10 – Updated: 2024-09-16 17:49
VLAI
Title
PAN-OS: OS Command Injection Vulnerability in the Command Line Interface (CLI)
Summary
An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 firewalls are impacted by this issue.
Severity
6.4 (Medium)
CWE
- CWE-78 - OS Command Injection
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.paloaltonetworks.com/CVE-2021-3061 | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Affected:
8.1 , < 8.1.20-h1
(custom)
Affected: 9.0 , < 9.0.14-h3 (custom) Affected: 10.0 , < 10.0.8 (custom) Affected: 10.1 , < 10.1.3 (custom) Affected: 9.1 , < 9.1.11-h2 (custom) |
|
| Palo Alto Networks | Prisma Access |
Unaffected:
2.2 all
Affected: 2.1 Preferred Affected: 2.1 Innovation |
Date Public
2021-11-10 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.381Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3061"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "8.1.20-h1",
"status": "unaffected"
}
],
"lessThan": "8.1.20-h1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.0.14-h3",
"status": "unaffected"
}
],
"lessThan": "9.0.14-h3",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.8",
"status": "unaffected"
}
],
"lessThan": "10.0.8",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.3",
"status": "unaffected"
}
],
"lessThan": "10.1.3",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.11-h2",
"status": "unaffected"
}
],
"lessThan": "9.1.11-h2",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "2.2 all"
},
{
"status": "affected",
"version": "2.1 Preferred"
},
{
"status": "affected",
"version": "2.1 Innovation"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Palo Alto Networks thanks CJ, an external security researcher, and Ben Nott from Palo Alto Networks for discovering and reporting this issue."
}
],
"datePublic": "2021-11-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 firewalls are impacted by this issue."
}
],
"exploits": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-10T17:10:26.000Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3061"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.\n\nThis issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions."
}
],
"source": {
"defect": [
"PAN-176655",
"PAN-158334"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: OS Command Injection Vulnerability in the Command Line Interface (CLI)",
"workarounds": [
{
"lang": "en",
"value": "This issue requires the attacker to have authenticated access to the PAN-OS CLI. You can mitigate the impact of this issue by following best practices for securing PAN-OS software. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2021-11-10T17:00:00.000Z",
"ID": "CVE-2021-3061",
"STATE": "PUBLIC",
"TITLE": "PAN-OS: OS Command Injection Vulnerability in the Command Line Interface (CLI)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.20-h1"
},
{
"version_affected": "!\u003e=",
"version_name": "8.1",
"version_value": "8.1.20-h1"
},
{
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.14-h3"
},
{
"version_affected": "!\u003e=",
"version_name": "9.0",
"version_value": "9.0.14-h3"
},
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "!\u003e=",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "!\u003e=",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "\u003c",
"version_name": "9.1",
"version_value": "9.1.11-h2"
},
{
"version_affected": "!\u003e=",
"version_name": "9.1",
"version_value": "9.1.11-h2"
}
]
}
},
{
"product_name": "Prisma Access",
"version": {
"version_data": [
{
"version_affected": "!",
"version_name": "2.2",
"version_value": "all"
},
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "Preferred"
},
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "Innovation"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks CJ, an external security researcher, and Ben Nott from Palo Alto Networks for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 firewalls are impacted by this issue."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.paloaltonetworks.com/CVE-2021-3061",
"refsource": "MISC",
"url": "https://security.paloaltonetworks.com/CVE-2021-3061"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.\n\nThis issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions."
}
],
"source": {
"defect": [
"PAN-176655",
"PAN-158334"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "en",
"value": "This issue requires the attacker to have authenticated access to the PAN-OS CLI. You can mitigate the impact of this issue by following best practices for securing PAN-OS software. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices."
}
],
"x_advisoryEoL": false,
"x_affectedList": [
"Prisma Access 2.1",
"PAN-OS 10.1.2",
"PAN-OS 10.1.1",
"PAN-OS 10.1.0",
"PAN-OS 10.1",
"PAN-OS 10.0.7",
"PAN-OS 10.0.6",
"PAN-OS 10.0.5",
"PAN-OS 10.0.4",
"PAN-OS 10.0.3",
"PAN-OS 10.0.2",
"PAN-OS 10.0.1",
"PAN-OS 10.0.0",
"PAN-OS 10.0",
"PAN-OS 9.1.11-h1",
"PAN-OS 9.1.11",
"PAN-OS 9.1.10",
"PAN-OS 9.1.9",
"PAN-OS 9.1.8",
"PAN-OS 9.1.7",
"PAN-OS 9.1.6",
"PAN-OS 9.1.5",
"PAN-OS 9.1.4",
"PAN-OS 9.1.3-h1",
"PAN-OS 9.1.3",
"PAN-OS 9.1.2-h1",
"PAN-OS 9.1.2",
"PAN-OS 9.1.1",
"PAN-OS 9.1.0-h3",
"PAN-OS 9.1.0-h2",
"PAN-OS 9.1.0-h1",
"PAN-OS 9.1.0",
"PAN-OS 9.1",
"PAN-OS 9.0.14-h2",
"PAN-OS 9.0.14-h1",
"PAN-OS 9.0.14",
"PAN-OS 9.0.13",
"PAN-OS 9.0.12",
"PAN-OS 9.0.11",
"PAN-OS 9.0.10",
"PAN-OS 9.0.9-h1",
"PAN-OS 9.0.9",
"PAN-OS 9.0.8",
"PAN-OS 9.0.7",
"PAN-OS 9.0.6",
"PAN-OS 9.0.5",
"PAN-OS 9.0.4",
"PAN-OS 9.0.3-h3",
"PAN-OS 9.0.3-h2",
"PAN-OS 9.0.3-h1",
"PAN-OS 9.0.3",
"PAN-OS 9.0.2-h4",
"PAN-OS 9.0.2-h3",
"PAN-OS 9.0.2-h2",
"PAN-OS 9.0.2-h1",
"PAN-OS 9.0.2",
"PAN-OS 9.0.1",
"PAN-OS 9.0.0",
"PAN-OS 9.0",
"PAN-OS 8.1.20",
"PAN-OS 8.1.19",
"PAN-OS 8.1.18",
"PAN-OS 8.1.17",
"PAN-OS 8.1.16",
"PAN-OS 8.1.15-h3",
"PAN-OS 8.1.15-h2",
"PAN-OS 8.1.15-h1",
"PAN-OS 8.1.15",
"PAN-OS 8.1.14-h2",
"PAN-OS 8.1.14-h1",
"PAN-OS 8.1.14",
"PAN-OS 8.1.13",
"PAN-OS 8.1.12",
"PAN-OS 8.1.11",
"PAN-OS 8.1.10",
"PAN-OS 8.1.9-h4",
"PAN-OS 8.1.9-h3",
"PAN-OS 8.1.9-h2",
"PAN-OS 8.1.9-h1",
"PAN-OS 8.1.9",
"PAN-OS 8.1.8-h5",
"PAN-OS 8.1.8-h4",
"PAN-OS 8.1.8-h3",
"PAN-OS 8.1.8-h2",
"PAN-OS 8.1.8-h1",
"PAN-OS 8.1.8",
"PAN-OS 8.1.7",
"PAN-OS 8.1.6-h2",
"PAN-OS 8.1.6-h1",
"PAN-OS 8.1.6",
"PAN-OS 8.1.5",
"PAN-OS 8.1.4",
"PAN-OS 8.1.3",
"PAN-OS 8.1.2",
"PAN-OS 8.1.1",
"PAN-OS 8.1.0",
"PAN-OS 8.1"
],
"x_likelyAffectedList": [
"PAN-OS 8.0.20",
"PAN-OS 8.0.19-h1",
"PAN-OS 8.0.19",
"PAN-OS 8.0.18",
"PAN-OS 8.0.17",
"PAN-OS 8.0.16",
"PAN-OS 8.0.15",
"PAN-OS 8.0.14",
"PAN-OS 8.0.13",
"PAN-OS 8.0.12",
"PAN-OS 8.0.11-h1",
"PAN-OS 8.0.10",
"PAN-OS 8.0.9",
"PAN-OS 8.0.8",
"PAN-OS 8.0.7",
"PAN-OS 8.0.6-h3",
"PAN-OS 8.0.6-h2",
"PAN-OS 8.0.6-h1",
"PAN-OS 8.0.6",
"PAN-OS 8.0.5",
"PAN-OS 8.0.4",
"PAN-OS 8.0.3-h4",
"PAN-OS 8.0.3-h3",
"PAN-OS 8.0.3-h2",
"PAN-OS 8.0.3-h1",
"PAN-OS 8.0.3",
"PAN-OS 8.0.2",
"PAN-OS 8.0.1",
"PAN-OS 8.0.0",
"PAN-OS 8.0",
"PAN-OS 7.1.26",
"PAN-OS 7.1.25",
"PAN-OS 7.1.24-h1",
"PAN-OS 7.1.24",
"PAN-OS 7.1.23",
"PAN-OS 7.1.22",
"PAN-OS 7.1.21",
"PAN-OS 7.1.20",
"PAN-OS 7.1.19",
"PAN-OS 7.1.18",
"PAN-OS 7.1.17",
"PAN-OS 7.1.16",
"PAN-OS 7.1.15",
"PAN-OS 7.1.14",
"PAN-OS 7.1.13",
"PAN-OS 7.1.12",
"PAN-OS 7.1.11",
"PAN-OS 7.1.10",
"PAN-OS 7.1.9-h4",
"PAN-OS 7.1.9-h3",
"PAN-OS 7.1.9-h2",
"PAN-OS 7.1.9-h1",
"PAN-OS 7.1.9",
"PAN-OS 7.1.8",
"PAN-OS 7.1.7",
"PAN-OS 7.1.6",
"PAN-OS 7.1.5",
"PAN-OS 7.1.4-h2",
"PAN-OS 7.1.4-h1",
"PAN-OS 7.1.4",
"PAN-OS 7.1.3",
"PAN-OS 7.1.2",
"PAN-OS 7.1.1",
"PAN-OS 7.1.0",
"PAN-OS 7.1"
]
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2021-3061",
"datePublished": "2021-11-10T17:10:26.316Z",
"dateReserved": "2021-01-06T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:49:25.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8687 (GCVE-0-2024-8687)
Vulnerability from – Published: 2024-09-11 16:40 – Updated: 2024-09-11 18:25
VLAI
Title
PAN-OS: Cleartext Exposure of GlobalProtect Portal Passcodes
Summary
An information exposure vulnerability exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. After the password or passcode is known, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Unaffected:
11.1.0
Unaffected: 11.2.0 Affected: 11.0.0 , < 11.0.1 (custom) Affected: 10.2.0 , < 10.2.4 (custom) Affected: 10.1.0 , < 10.1.9 (custom) Affected: 10.0.0 , < 10.0.12 (custom) Affected: 9.1.0 , < 9.1.16 (custom) Affected: 9.0.0 , < 9.0.17 (custom) Affected: 8.1.0 , < 8.1.25 (custom) |
|
| Palo Alto Networks | GlobalProtect App |
Affected:
5.1.0 , < 5.1.12
(custom)
Affected: 5.2.0 , < 5.2.13 (custom) Affected: 6.0.0 , < 6.0.7 (custom) Affected: 6.1.0 , < 6.1.2 (custom) Affected: 6.2.0 , < 6.2.1 (custom) Unaffected: 6.3.0 |
|
| Palo Alto Networks | Cloud NGFW |
Unaffected:
All
|
|
| Palo Alto Networks | Prisma Access |
Affected:
10.2.0 , < 10.2.9 on PAN-OS
(custom)
|
Date Public
2024-09-11 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:23:36.439085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:25:14.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "11.1.0"
},
{
"status": "unaffected",
"version": "11.2.0"
},
{
"changes": [
{
"at": "11.0.1",
"status": "unaffected"
}
],
"lessThan": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.2.4",
"status": "unaffected"
}
],
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.9",
"status": "unaffected"
}
],
"lessThan": "10.1.9",
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.12",
"status": "unaffected"
}
],
"lessThan": "10.0.12",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.16",
"status": "unaffected"
}
],
"lessThan": "9.1.16",
"status": "affected",
"version": "9.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.0.17",
"status": "unaffected"
}
],
"lessThan": "9.0.17",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "8.1.25",
"status": "unaffected"
}
],
"lessThan": "8.1.25",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GlobalProtect App",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "5.1.12",
"status": "unaffected"
}
],
"lessThan": "5.1.12",
"status": "affected",
"version": "5.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.13",
"status": "unaffected"
}
],
"lessThan": "5.2.13",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.7",
"status": "unaffected"
}
],
"lessThan": "6.0.7",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.2",
"status": "unaffected"
}
],
"lessThan": "6.1.2",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.1",
"status": "unaffected"
}
],
"lessThan": "6.2.1",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.3.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "10.2.9 on PAN-OS",
"status": "unaffected"
}
],
"lessThan": "10.2.9 on PAN-OS",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Impacted systems are those on which any of the following features are enabled:\u003cbr\u003e* Network \u0026gt; GlobalProtect \u0026gt; Portals \u0026gt; \u0026gt; Agent \u0026gt; \u0026gt; App \u0026gt; Allow User to Disable GlobalProtect App \u0026gt; Allow with Passcode\u003cbr\u003e* Network \u0026gt; GlobalProtect \u0026gt; Portals \u0026gt; \u0026gt; Agent \u0026gt; \u0026gt; App \u0026gt; Allow user to disconnect GlobalProtect App \u0026gt; Allow with Passcode\u003cbr\u003e* Network \u0026gt; GlobalProtect \u0026gt; Portals \u0026gt; \u0026gt; Agent \u0026gt; \u0026gt; App \u0026gt; Allow User to Uninstall GlobalProtect App \u0026gt; Allow with Password"
}
],
"value": "Impacted systems are those on which any of the following features are enabled:\n* Network \u003e GlobalProtect \u003e Portals \u003e \u003e Agent \u003e \u003e App \u003e Allow User to Disable GlobalProtect App \u003e Allow with Passcode\n* Network \u003e GlobalProtect \u003e Portals \u003e \u003e Agent \u003e \u003e App \u003e Allow user to disconnect GlobalProtect App \u003e Allow with Passcode\n* Network \u003e GlobalProtect \u003e Portals \u003e \u003e Agent \u003e \u003e App \u003e Allow User to Uninstall GlobalProtect App \u003e Allow with Password"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Claudiu Pancotan"
}
],
"datePublic": "2024-09-11T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An information exposure vulnerability exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. After the password or passcode is known, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so."
}
],
"value": "An information exposure vulnerability exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. After the password or passcode is known, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\u003cbr\u003e"
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-383",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-383 Harvesting Information via API Event Monitoring"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T16:40:21.066Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"url": "https://security.paloaltonetworks.com/CVE-2024-8687"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in PAN-OS 8.1.25, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions. It is also fixed in Prisma Access 10.2.9 and all later Prisma Access versions. To maintain GlobalProtect app functionality for the vulnerable features, we released a corresponding software update for GlobalProtect app 5.1.12, GlobalProtect app 5.2.13, GlobalProtect app 6.0.7, GlobalProtect app 6.1.2, and GlobalProtect app 6.2.1, and all later GlobalProtect app versions.\u003cbr\u003e\u003cbr\u003eTo maintain the ability for end users to use the uninstall password feature and the disable or disconnect passcode feature, you must ensure that you upgrade all GlobalProtect app deployments to a fixed version before you upgrade your PAN-OS software to a fixed version.\u003cbr\u003e\u003cbr\u003eAll fixed versions of GlobalProtect are backwards compatible with vulnerable versions of PAN-OS software. However, fixed versions of PAN-OS software are not backwards compatible with vulnerable versions of GlobalProtect.\u003cbr\u003e\u003cbr\u003eYou can find additional information for PAN-204689 here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-0-known-and-addressed-issues/pan-os-11-1-0-known-issues\"\u003ehttps://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-0-known-and-addressed-issues/pan-os-11-1-0-known-issues\u003c/a\u003e\n\nPrisma Access customers can open a support case to request an upgrade.\u003cbr\u003e"
}
],
"value": "This issue is fixed in PAN-OS 8.1.25, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions. It is also fixed in Prisma Access 10.2.9 and all later Prisma Access versions. To maintain GlobalProtect app functionality for the vulnerable features, we released a corresponding software update for GlobalProtect app 5.1.12, GlobalProtect app 5.2.13, GlobalProtect app 6.0.7, GlobalProtect app 6.1.2, and GlobalProtect app 6.2.1, and all later GlobalProtect app versions.\n\nTo maintain the ability for end users to use the uninstall password feature and the disable or disconnect passcode feature, you must ensure that you upgrade all GlobalProtect app deployments to a fixed version before you upgrade your PAN-OS software to a fixed version.\n\nAll fixed versions of GlobalProtect are backwards compatible with vulnerable versions of PAN-OS software. However, fixed versions of PAN-OS software are not backwards compatible with vulnerable versions of GlobalProtect.\n\nYou can find additional information for PAN-204689 here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-0-known-and-addressed-issues/pan-os-11-1-0-known-issues \n\nPrisma Access customers can open a support case to request an upgrade."
}
],
"source": {
"defect": [
"PAN-204689",
"GPC-16848"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-09-11T16:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: Cleartext Exposure of GlobalProtect Portal Passcodes",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Change the following two settings (if enabled) to \"Allow with Ticket\":\u003cbr\u003e* Network \u0026gt; GlobalProtect \u0026gt; Portals \u0026gt; \u0026gt; Agent \u0026gt; \u0026gt; App \u0026gt; Allow User to Disable GlobalProtect App\u003cbr\u003e* Network \u0026gt; GlobalProtect \u0026gt; Portals \u0026gt; \u0026gt; Agent \u0026gt; \u0026gt; App \u0026gt; Allow user to disconnect GlobalProtect App\u003cbr\u003e\u003cbr\u003eChange the following setting (if enabled) to \"Disallow\":\u003cbr\u003e* Network \u0026gt; GlobalProtect \u0026gt; Portals \u0026gt; \u0026gt; Agent \u0026gt; \u0026gt; App \u0026gt; Allow User to Uninstall GlobalProtect App\u003cbr\u003e"
}
],
"value": "Change the following two settings (if enabled) to \"Allow with Ticket\":\n* Network \u003e GlobalProtect \u003e Portals \u003e \u003e Agent \u003e \u003e App \u003e Allow User to Disable GlobalProtect App\n* Network \u003e GlobalProtect \u003e Portals \u003e \u003e Agent \u003e \u003e App \u003e Allow user to disconnect GlobalProtect App\n\nChange the following setting (if enabled) to \"Disallow\":\n* Network \u003e GlobalProtect \u003e Portals \u003e \u003e Agent \u003e \u003e App \u003e Allow User to Uninstall GlobalProtect App"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2024-8687",
"datePublished": "2024-09-11T16:40:21.066Z",
"dateReserved": "2024-09-11T08:21:12.686Z",
"dateUpdated": "2024-09-11T18:25:14.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3388 (GCVE-0-2024-3388)
Vulnerability from – Published: 2024-04-10 17:06 – Updated: 2024-08-01 20:12
VLAI
Title
PAN-OS: User Impersonation in GlobalProtect SSL VPN
Summary
A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authenticated attacker to impersonate another user and send network packets to internal assets. However, this vulnerability does not allow the attacker to receive response packets from those internal assets.
Severity
4.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Affected:
8.1.0 , < 8.1.26
(custom)
Affected: 9.0.0 , < 9.0.17-h4 (custom) Affected: 9.1.0 , < 9.1.17 (custom) Affected: 10.1.0 , < 10.1.11-h4 (custom) Affected: 10.2.0 , < 10.2.7-h3 (custom) Affected: 11.0.0 , < 11.0.3 (custom) Unaffected: 11.1.0 |
|
| Palo Alto Networks | Cloud NGFW |
Unaffected:
All
|
|
| Palo Alto Networks | Prisma Access |
Affected:
10.2 , < 10.2.4
(custom)
|
Date Public
2024-04-10 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-15T14:39:04.465851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:32:48.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:12:06.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2024-3388"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "8.1.26",
"status": "unaffected"
}
],
"lessThan": "8.1.26",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.0.17-h4",
"status": "unaffected"
}
],
"lessThan": "9.0.17-h4",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.17",
"status": "unaffected"
}
],
"lessThan": "9.1.17",
"status": "affected",
"version": "9.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.11-h4",
"status": "unaffected"
}
],
"lessThan": "10.1.11-h4",
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.2.7-h3",
"status": "unaffected"
}
],
"lessThan": "10.2.7-h3",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.0.3",
"status": "unaffected"
}
],
"lessThan": "11.0.3",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "11.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "10.2.4",
"status": "unaffected"
}
],
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue applies only to PAN-OS firewall configurations with an enabled GlobalProtect gateway and where you are permitting use of the SSL VPN either as a fallback or as the only available tunnel mode. You should verify whether you have a configured GlobalProtect gateway by checking for entries in your firewall web interface (Network \u003e GlobalProtect \u003e Gateways). You can also verify:\n- Whether SSL VPN fallback is permitted (check to see if the \"Disable Automatic Restoration of SSL VPN\" option is disabled in the GlobalProtect Gateway Configuration dialog by selecting Agent \u003e Connection Settings) or;\n- Whether SSL VPN is the only available tunnel mode (check to see if \"Enable IPSec\" is disabled (unchecked) in the GlobalProtect Gateway Configuration dialog by selecting Agent \u003e Tunnel Settings).\nBy default, both PAN-OS firewalls and Prisma Access use the SSL VPN only when the endpoint fails to successfully establish an IPSec tunnel."
}
],
"value": "This issue applies only to PAN-OS firewall configurations with an enabled GlobalProtect gateway and where you are permitting use of the SSL VPN either as a fallback or as the only available tunnel mode. You should verify whether you have a configured GlobalProtect gateway by checking for entries in your firewall web interface (Network \u003e GlobalProtect \u003e Gateways). You can also verify:\n- Whether SSL VPN fallback is permitted (check to see if the \"Disable Automatic Restoration of SSL VPN\" option is disabled in the GlobalProtect Gateway Configuration dialog by selecting Agent \u003e Connection Settings) or;\n- Whether SSL VPN is the only available tunnel mode (check to see if \"Enable IPSec\" is disabled (unchecked) in the GlobalProtect Gateway Configuration dialog by selecting Agent \u003e Tunnel Settings).\nBy default, both PAN-OS firewalls and Prisma Access use the SSL VPN only when the endpoint fails to successfully establish an IPSec tunnel."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Palo Alto Networks thanks Ta-Lun Yen of TXOne Networks for discovering and reporting this issue."
}
],
"datePublic": "2024-04-10T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authenticated attacker to impersonate another user and send network packets to internal assets. However, this vulnerability does not allow the attacker to receive response packets from those internal assets."
}
],
"value": "A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authenticated attacker to impersonate another user and send network packets to internal assets. However, this vulnerability does not allow the attacker to receive response packets from those internal assets."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\u003cbr\u003e"
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-194",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-194 Fake the Source of Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T17:06:40.685Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"url": "https://security.paloaltonetworks.com/CVE-2024-3388"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in PAN-OS 8.1.26, PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.11-h4, PAN-OS 10.2.7-h3, PAN-OS 11.0.3, and all later PAN-OS versions. This issue is fixed in Prisma Access 10.2.4 and later.\u003cbr\u003e"
}
],
"value": "This issue is fixed in PAN-OS 8.1.26, PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.11-h4, PAN-OS 10.2.7-h3, PAN-OS 11.0.3, and all later PAN-OS versions. This issue is fixed in Prisma Access 10.2.4 and later.\n"
}
],
"source": {
"defect": [
"PAN-224964"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-04-10T16:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: User Impersonation in GlobalProtect SSL VPN",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "You can enable the \"Disable Automatic Restoration of SSL VPN\" (Network \u003e GlobalProtect Gateways \u003e \u003cgateway-config\u003e \u003e GlobalProtect Gateway Configuration \u003e Agent \u003e Connection Settings) on PAN-OS firewalls with the GlobalProtect feature enabled to mitigate this vulnerability.\u003cbr\u003e"
}
],
"value": "You can enable the \"Disable Automatic Restoration of SSL VPN\" (Network \u003e GlobalProtect Gateways \u003e \u003e GlobalProtect Gateway Configuration \u003e Agent \u003e Connection Settings) on PAN-OS firewalls with the GlobalProtect feature enabled to mitigate this vulnerability.\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2024-3388",
"datePublished": "2024-04-10T17:06:40.685Z",
"dateReserved": "2024-04-05T17:40:20.687Z",
"dateUpdated": "2024-08-01T20:12:06.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
displaying 1 - 8 organizations in total 8