CVE-2024-2550 (GCVE-0-2024-2550)
Vulnerability from – Published: 2024-11-14 09:40 – Updated: 2024-11-14 14:11
VLAI?
Title
PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
Summary
A null pointer dereference vulnerability in the GlobalProtect gateway in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to stop the GlobalProtect service on the firewall by sending a specially crafted packet that causes a denial of service (DoS) condition. Repeated attempts to trigger this condition result in the firewall entering maintenance mode.
Severity ?
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | Cloud NGFW |
Unaffected:
All
|
||||||||||||
|
||||||||||||||
Credits
Michael Baker from AC3
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2550",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:11:13.254898Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:11:24.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
},
{
"cpes": [
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h14:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h14:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h16:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h15:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h14:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "11.2.0"
},
{
"changes": [
{
"at": "11.1.5",
"status": "unaffected"
}
],
"lessThan": "11.1.5",
"status": "affected",
"version": "11.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.0.6",
"status": "unaffected"
}
],
"lessThan": "11.0.6",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.2.11",
"status": "unaffected"
}
],
"lessThan": "10.2.11",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "10.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue impacts only firewalls on which you configured a GlobalProtect gateway. You can verify whether you configured GlobalProtect gateway by checking for entries in your firewall web interface (Network \u2192 GlobalProtect \u2192 Gateways)."
}
],
"value": "This issue impacts only firewalls on which you configured a GlobalProtect gateway. You can verify whether you configured GlobalProtect gateway by checking for entries in your firewall web interface (Network \u2192 GlobalProtect \u2192 Gateways)."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Baker from AC3"
}
],
"datePublic": "2024-11-13T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A null pointer dereference vulnerability in the GlobalProtect gateway in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to stop the GlobalProtect service on the firewall by sending a specially crafted packet that causes a denial of service (DoS) condition. Repeated attempts to trigger this condition result in the firewall entering maintenance mode."
}
],
"value": "A null pointer dereference vulnerability in the GlobalProtect gateway in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to stop the GlobalProtect service on the firewall by sending a specially crafted packet that causes a denial of service (DoS) condition. Repeated attempts to trigger this condition result in the firewall entering maintenance mode."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-129",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-129 Pointer Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T09:40:38.838Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2024-2550"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in PAN-OS 10.2.11, PAN-OS 11.0.6, PAN-OS 11.1.5, and all later PAN-OS versions."
}
],
"value": "This issue is fixed in PAN-OS 10.2.11, PAN-OS 11.0.6, PAN-OS 11.1.5, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-244950",
"PAN-221352"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-11-13T17:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet"
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2024-2550",
"datePublished": "2024-11-14T09:40:38.838Z",
"dateReserved": "2024-03-15T22:43:26.399Z",
"dateUpdated": "2024-11-14T14:11:24.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9472 (GCVE-0-2024-9472)
Vulnerability from – Published: 2024-11-14 09:34 – Updated: 2024-11-14 14:10
VLAI?
Title
PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Traffic
Summary
A null pointer dereference in Palo Alto Networks PAN-OS software on PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series hardware platforms when Decryption policy is enabled allows an unauthenticated attacker to crash PAN-OS by sending specific traffic through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode.
Palo Alto Networks VM-Series, Cloud NGFW, and Prisma Access are not affected.
This issue only affects PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series running these specific versions of PAN-OS:
* 10.2.7-h12
* 10.2.8-h10
* 10.2.9-h9
* 10.2.9-h11
* 10.2.10-h2
* 10.2.10-h3
* 10.2.11
* 10.2.11-h1
* 10.2.11-h2
* 10.2.11-h3
* 11.1.2-h9
* 11.1.2-h12
* 11.1.3-h2
* 11.1.3-h4
* 11.1.3-h6
* 11.2.2
* 11.2.2-h1
Severity ?
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | Cloud NGFW |
Unaffected:
All
(custom)
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:09:59.075028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:10:30.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h15:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h14:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "11.2.2-h3",
"status": "unaffected"
},
{
"at": "11.2.3",
"status": "unaffected"
}
],
"lessThan": "11.2.2-h3",
"status": "affected",
"version": "11.2.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.1.2-h14",
"status": "unaffected"
},
{
"at": "11.1.3-h10",
"status": "unaffected"
}
],
"lessThan": "11.1.2-h14",
"status": "affected",
"version": "11.1.2-h9",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "11.0.0"
},
{
"changes": [
{
"at": "10.2.7-h16",
"status": "unaffected"
},
{
"at": "10.2.8-h13",
"status": "unaffected"
},
{
"at": "10.2.9-14",
"status": "unaffected"
},
{
"at": "10.2.10-h7",
"status": "unaffected"
},
{
"at": "10.2.11-h4",
"status": "unaffected"
}
],
"lessThan": "10.2.7-h16",
"status": "affected",
"version": "10.2.7-h12",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "10.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is only applicable firewalls where url proxy or any decrypt-policy is configured.\u003cbr\u003e\u003cbr\u003eWhen any decrypt policy is configured, this issue may be encountered regardless of whether traffic matches explicit decrypt, explicit no-decrypt, or none of the decryption policies.\u003cbr\u003e"
}
],
"value": "This issue is only applicable firewalls where url proxy or any decrypt-policy is configured.\n\nWhen any decrypt policy is configured, this issue may be encountered regardless of whether traffic matches explicit decrypt, explicit no-decrypt, or none of the decryption policies."
}
],
"datePublic": "2024-11-13T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA null pointer dereference in Palo Alto Networks PAN-OS software on PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series hardware platforms when Decryption policy is enabled allows an unauthenticated attacker to crash PAN-OS by sending specific traffic through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode.\u003c/div\u003e\u003cbr\u003e\u003cdiv\u003ePalo Alto Networks VM-Series, Cloud NGFW, and Prisma Access are not affected.\u003c/div\u003e\u003cbr\u003e\u003cdiv\u003eThis issue only affects PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series running these specific versions of PAN-OS:\u003c/div\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e10.2.7-h12\u003c/li\u003e\u003cli\u003e10.2.8-h10\u003c/li\u003e\u003cli\u003e10.2.9-h9\u003c/li\u003e\u003cli\u003e10.2.9-h11\u003c/li\u003e\u003cli\u003e10.2.10-h2\u003c/li\u003e\u003cli\u003e10.2.10-h3\u003c/li\u003e\u003cli\u003e10.2.11\u003c/li\u003e\u003cli\u003e10.2.11-h1\u003c/li\u003e\u003cli\u003e10.2.11-h2\u003c/li\u003e\u003cli\u003e10.2.11-h3\u003c/li\u003e\u003cli\u003e11.1.2-h9\u003c/li\u003e\u003cli\u003e11.1.2-h12\u003c/li\u003e\u003cli\u003e11.1.3-h2\u003c/li\u003e\u003cli\u003e11.1.3-h4\u003c/li\u003e\u003cli\u003e11.1.3-h6\u003c/li\u003e\u003cli\u003e11.2.2\u003c/li\u003e\u003cli\u003e11.2.2-h1\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
}
],
"value": "A null pointer dereference in Palo Alto Networks PAN-OS software on PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series hardware platforms when Decryption policy is enabled allows an unauthenticated attacker to crash PAN-OS by sending specific traffic through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode.\n\n\nPalo Alto Networks VM-Series, Cloud NGFW, and Prisma Access are not affected.\n\n\nThis issue only affects PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series running these specific versions of PAN-OS:\n\n * 10.2.7-h12\n * 10.2.8-h10\n * 10.2.9-h9\n * 10.2.9-h11\n * 10.2.10-h2\n * 10.2.10-h3\n * 10.2.11\n * 10.2.11-h1\n * 10.2.11-h2\n * 10.2.11-h3\n * 11.1.2-h9\n * 11.1.2-h12\n * 11.1.3-h2\n * 11.1.3-h4\n * 11.1.3-h6\n * 11.2.2\n * 11.2.2-h1"
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue. However, customers have reported encountering this issue during normal operations."
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue. However, customers have reported encountering this issue during normal operations."
}
],
"impacts": [
{
"capecId": "CAPEC-129",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-129 Pointer Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T09:34:22.665Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2024-9472"
}
],
"solutions": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in PAN-OS 10.2.7-h16, PAN-OS 10.2.8-h13, PAN-OS 10.2.9-h14, PAN-OS 10.2.10-h7, PAN-OS 10.2.11-h4, PAN-OS 11.1.2-h14, PAN-OS 11.1.3-h10, PAN-OS 11.2.2-h3, PAN-OS 11.2.3, and all later PAN-OS versions."
}
],
"value": "This issue is fixed in PAN-OS 10.2.7-h16, PAN-OS 10.2.8-h13, PAN-OS 10.2.9-h14, PAN-OS 10.2.10-h7, PAN-OS 10.2.11-h4, PAN-OS 11.1.2-h14, PAN-OS 11.1.3-h10, PAN-OS 11.2.2-h3, PAN-OS 11.2.3, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-262287",
"PAN-226361"
],
"discovery": "USER"
},
"timeline": [
{
"lang": "en",
"time": "2024-11-13T17:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Traffic",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue does not impact firewalls that do not have url proxy or any decrypt-policy configured.\u003cbr\u003e\u003cbr\u003eThe issue can be completely mitigated by setting this option:\u003cbr\u003e\u003cbr\u003eset system setting ctd nonblocking-pattern-match disable"
}
],
"value": "This issue does not impact firewalls that do not have url proxy or any decrypt-policy configured.\n\nThe issue can be completely mitigated by setting this option:\n\nset system setting ctd nonblocking-pattern-match disable"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2024-9472",
"datePublished": "2024-11-14T09:34:22.665Z",
"dateReserved": "2024-10-03T11:35:18.693Z",
"dateUpdated": "2024-11-14T14:10:30.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9471 (GCVE-0-2024-9471)
Vulnerability from – Published: 2024-10-09 17:06 – Updated: 2024-10-18 11:58
VLAI?
Title
PAN-OS: Privilege Escalation (PE) Vulnerability in XML API
Summary
A privilege escalation (PE) vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated PAN-OS administrator with restricted privileges to use a compromised XML API key to perform actions as a higher privileged PAN-OS administrator. For example, an administrator with "Virtual system administrator (read-only)" access could use an XML API key of a "Virtual system administrator" to perform write operations on the virtual system configuration even though they should be limited to read-only operations.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Unaffected:
11.1.0
Affected: 11.0.0 , < 11.0.3 (custom) Affected: 10.1.0 , < 10.1.11 (custom) Affected: 10.2.0 , < 10.2.8 (custom) Affected: 9.1 Affected: 9.0 cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.0:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:10.1:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.19:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.18:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.17:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.15:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.15:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.10:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.9:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.8:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.7:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.6:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.5:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.4:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.3:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.3:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.2:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.2:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.1:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.0:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.0:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.0:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1.0:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.1:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.17:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.17:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h7:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h6:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h5:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.15:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.14:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.14:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.14:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.14:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.14:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.13:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.12:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.11:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.10:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.9:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.9:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.8:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.7:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.6:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.5:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.4:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.3:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.3:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.3:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.3:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.2:h4:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.2:h3:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.2:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.2:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.2:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.1:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0.0:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:9.0:-:*:*:*:*:*:* |
||||||||||||
|
||||||||||||||
Credits
Palo Alto Networks thanks an external reporter for discovering and reporting this issue.
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pan-os",
"vendor": "paloaltonetworks",
"versions": [
{
"lessThan": "11.0.3",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"lessThan": "10.1.11",
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
},
{
"lessThan": "10.2.8",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "9.1"
},
{
"status": "affected",
"version": "9.0"
},
{
"status": "unaffected",
"version": "11.1.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9471",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T20:28:43.911070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T20:33:15.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:11.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:10.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.19:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.18:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.17:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.15:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.15:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h8:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.10:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.9:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.8:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.7:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.6:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.5:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.4:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.3:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.3:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.2:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.0:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.0:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.0:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.17:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.17:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h7:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h6:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h5:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.15:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.14:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.14:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.14:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.14:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.14:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.13:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.12:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.11:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.10:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.9:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.9:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.8:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.7:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.6:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.5:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.4:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.3:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.3:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.3:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.3:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.2:h4:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.2:h3:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.2:h2:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.2:h1:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.2:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.1:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0.0:-:*:*:*:*:*:*",
"cpe:2.3:o:paloaltonetworks:pan-os:9.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "11.1.0"
},
{
"changes": [
{
"at": "11.0.3",
"status": "unaffected"
}
],
"lessThan": "11.0.3",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.11",
"status": "unaffected"
}
],
"lessThan": "10.1.11",
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.2.8",
"status": "unaffected"
}
],
"lessThan": "10.2.8",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "9.1"
},
{
"status": "affected",
"version": "9.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is applicable only to PAN-OS configurations that have XML API access enabled.\u003cbr\u003e\u003cbr\u003eYou can find more information about the XML API here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/enable-api-access"
}
],
"value": "This issue is applicable only to PAN-OS configurations that have XML API access enabled.\n\nYou can find more information about the XML API here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/enable-api-access"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Palo Alto Networks thanks an external reporter for discovering and reporting this issue."
}
],
"datePublic": "2024-10-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A privilege escalation (PE) vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated PAN-OS administrator with restricted privileges to use a compromised XML API key to perform actions as a higher privileged PAN-OS administrator. For example, an administrator with \"Virtual system administrator (read-only)\" access could use an XML API key of a \"Virtual system administrator\" to perform write operations on the virtual system configuration even though they should be limited to read-only operations."
}
],
"value": "A privilege escalation (PE) vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated PAN-OS administrator with restricted privileges to use a compromised XML API key to perform actions as a higher privileged PAN-OS administrator. For example, an administrator with \"Virtual system administrator (read-only)\" access could use an XML API key of a \"Virtual system administrator\" to perform write operations on the virtual system configuration even though they should be limited to read-only operations."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T11:58:13.115Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2024-9471"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in PAN-OS 10.1.11, PAN-OS 10.2.8, PAN-OS 11.0.3, and all later PAN-OS versions."
}
],
"value": "This issue is fixed in PAN-OS 10.1.11, PAN-OS 10.2.8, PAN-OS 11.0.3, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-217511",
"PAN-152631"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-10-09T16:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: Privilege Escalation (PE) Vulnerability in XML API",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue requires the attacker to have authenticated access to the PAN-OS XML API. You can mitigate the effect this issue has on your environment by following the Administrative Access Best Practices in the PAN-OS technical documentation at \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/best-practices\"\u003ehttps://docs.paloaltonetworks.com/best-practices\u003c/a\u003e."
}
],
"value": "This issue requires the attacker to have authenticated access to the PAN-OS XML API. You can mitigate the effect this issue has on your environment by following the Administrative Access Best Practices in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices ."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2024-9471",
"datePublished": "2024-10-09T17:06:41.456Z",
"dateReserved": "2024-10-03T11:35:17.822Z",
"dateUpdated": "2024-10-18T11:58:13.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6792 (GCVE-0-2023-6792)
Vulnerability from – Published: 2023-12-13 18:16 – Updated: 2024-10-08 14:26
VLAI?
Title
PAN-OS: OS Command Injection Vulnerability in the XML API
Summary
An OS command injection vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated API user to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.
Severity ?
5.5 (Medium)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Affected:
8.1 , < 8.1.24
(custom)
Affected: 9.0 , < 9.0.17 (custom) Affected: 9.1 , < 9.1.15 (custom) Affected: 10.0 , < 10.0.12 (custom) Affected: 10.1 , < 10.1.6 (custom) Unaffected: 10.2 , < All (custom) Unaffected: 11.0 , < All (custom) Unaffected: 11.1 , < All (custom) |
||||||||||||
|
||||||||||||||
Credits
Palo Alto Networks thanks Ethan Shackelford of IOActive for discovering and reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:07.471Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2023-6792"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6792",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T14:25:49.110797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T14:26:00.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "8.1.24",
"status": "unaffected"
}
],
"lessThan": "8.1.24",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.0.17",
"status": "unaffected"
}
],
"lessThan": "9.0.17",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.15",
"status": "unaffected"
}
],
"lessThan": "9.1.15",
"status": "affected",
"version": "9.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.12",
"status": "unaffected"
}
],
"lessThan": "10.0.12",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.6",
"status": "unaffected"
}
],
"lessThan": "10.1.6",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "All",
"status": "unaffected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "All",
"status": "unaffected",
"version": "11.0",
"versionType": "custom"
},
{
"lessThan": "All",
"status": "unaffected",
"version": "11.1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is applicable only to PAN-OS configurations that have XML API access enabled.\u003cbr\u003e\u003cbr\u003eYou can find more information about the XML API here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/enable-api-access"
}
],
"value": "This issue is applicable only to PAN-OS configurations that have XML API access enabled.\n\nYou can find more information about the XML API here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/enable-api-access"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Palo Alto Networks thanks Ethan Shackelford of IOActive for discovering and reporting this issue."
}
],
"datePublic": "2023-12-13T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated API user to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall."
}
],
"value": "An OS command injection vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated API user to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-13T18:16:18.893Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"url": "https://security.paloaltonetworks.com/CVE-2023-6792"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in PAN-OS 8.1.24, PAN-OS 9.0.17, PAN-OS 9.1.15, PAN-OS 10.0.12, PAN-OS 10.1.6, and all later PAN-OS versions."
}
],
"value": "This issue is fixed in PAN-OS 8.1.24, PAN-OS 9.0.17, PAN-OS 9.1.15, PAN-OS 10.0.12, PAN-OS 10.1.6, and all later PAN-OS versions."
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2023-12-13T17:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: OS Command Injection Vulnerability in the XML API",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 91715 (introduced in Applications and Threats content update 8473).\u003cbr\u003e\u003cbr\u003eThis issue requires the attacker to have authenticated access to the PAN-OS XML API. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices."
}
],
"value": "Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 91715 (introduced in Applications and Threats content update 8473).\n\nThis issue requires the attacker to have authenticated access to the PAN-OS XML API. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2023-6792",
"datePublished": "2023-12-13T18:16:18.893Z",
"dateReserved": "2023-12-13T17:27:25.801Z",
"dateUpdated": "2024-10-08T14:26:00.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8686 (GCVE-0-2024-8686)
Vulnerability from – Published: 2024-09-11 16:34 – Updated: 2024-09-12 03:55
VLAI?
Title
PAN-OS: Command Injection Vulnerability
Summary
A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as root on the firewall.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Unaffected:
11.2.0 , < 11.2.2
(custom)
Affected: 11.2.2 Unaffected: 11.1.0 Unaffected: 11.0.0 Unaffected: 10.2.0 Unaffected: 10.1.0 |
||||||||||||
|
||||||||||||||
Credits
Louis Lingg
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pan-os",
"vendor": "paloaltonetworks",
"versions": [
{
"status": "unaffected",
"version": "10.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pan-os",
"vendor": "paloaltonetworks",
"versions": [
{
"status": "unaffected",
"version": "10.2.0"
}
]
},
{
"cpes": [
"cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pan-os",
"vendor": "paloaltonetworks",
"versions": [
{
"status": "unaffected",
"version": "11.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pan-os",
"vendor": "paloaltonetworks",
"versions": [
{
"status": "unaffected",
"version": "11.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pan-os",
"vendor": "paloaltonetworks",
"versions": [
{
"status": "affected",
"version": "11.2.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pan-os",
"vendor": "paloaltonetworks",
"versions": [
{
"lessThan": "11.2.2",
"status": "unaffected",
"version": "11.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:paloaltonetworks:cloud_ngfw:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cloud_ngfw",
"vendor": "paloaltonetworks",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:paloaltonetworks:prisma_access:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prisma_access",
"vendor": "paloaltonetworks",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T03:55:28.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"lessThan": "11.2.2",
"status": "unaffected",
"version": "11.2.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "11.2.2"
},
{
"status": "unaffected",
"version": "11.1.0"
},
{
"status": "unaffected",
"version": "11.0.0"
},
{
"status": "unaffected",
"version": "10.2.0"
},
{
"status": "unaffected",
"version": "10.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Louis Lingg"
}
],
"datePublic": "2024-09-11T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as root on the firewall."
}
],
"value": "A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as root on the firewall."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\u003cbr\u003e"
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T16:34:21.618Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"url": "https://security.paloaltonetworks.com/CVE-2024-8686"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in PAN-OS 11.2.3 and all later PAN-OS versions.\u003cbr\u003e"
}
],
"value": "This issue is fixed in PAN-OS 11.2.3 and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-263321"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-09-11T16:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: Command Injection Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2024-8686",
"datePublished": "2024-09-11T16:34:21.618Z",
"dateReserved": "2024-09-11T08:21:11.335Z",
"dateUpdated": "2024-09-12T03:55:28.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8687 (GCVE-0-2024-8687)
Vulnerability from – Published: 2024-09-11 16:40 – Updated: 2024-09-11 18:25
VLAI?
Title
PAN-OS: Cleartext Exposure of GlobalProtect Portal Passcodes
Summary
An information exposure vulnerability exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. After the password or passcode is known, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so.
Severity ?
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Unaffected:
11.1.0
Unaffected: 11.2.0 Affected: 11.0.0 , < 11.0.1 (custom) Affected: 10.2.0 , < 10.2.4 (custom) Affected: 10.1.0 , < 10.1.9 (custom) Affected: 10.0.0 , < 10.0.12 (custom) Affected: 9.1.0 , < 9.1.16 (custom) Affected: 9.0.0 , < 9.0.17 (custom) Affected: 8.1.0 , < 8.1.25 (custom) |
|||||||||||||||||
|
|||||||||||||||||||
Credits
Claudiu Pancotan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:23:36.439085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:25:14.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "11.1.0"
},
{
"status": "unaffected",
"version": "11.2.0"
},
{
"changes": [
{
"at": "11.0.1",
"status": "unaffected"
}
],
"lessThan": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.2.4",
"status": "unaffected"
}
],
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.9",
"status": "unaffected"
}
],
"lessThan": "10.1.9",
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.12",
"status": "unaffected"
}
],
"lessThan": "10.0.12",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.16",
"status": "unaffected"
}
],
"lessThan": "9.1.16",
"status": "affected",
"version": "9.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.0.17",
"status": "unaffected"
}
],
"lessThan": "9.0.17",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "8.1.25",
"status": "unaffected"
}
],
"lessThan": "8.1.25",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GlobalProtect App",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "5.1.12",
"status": "unaffected"
}
],
"lessThan": "5.1.12",
"status": "affected",
"version": "5.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.13",
"status": "unaffected"
}
],
"lessThan": "5.2.13",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.7",
"status": "unaffected"
}
],
"lessThan": "6.0.7",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.2",
"status": "unaffected"
}
],
"lessThan": "6.1.2",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.1",
"status": "unaffected"
}
],
"lessThan": "6.2.1",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.3.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "10.2.9 on PAN-OS",
"status": "unaffected"
}
],
"lessThan": "10.2.9 on PAN-OS",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Impacted systems are those on which any of the following features are enabled:\u003cbr\u003e* Network \u0026gt; GlobalProtect \u0026gt; Portals \u0026gt; \u0026gt; Agent \u0026gt; \u0026gt; App \u0026gt; Allow User to Disable GlobalProtect App \u0026gt; Allow with Passcode\u003cbr\u003e* Network \u0026gt; GlobalProtect \u0026gt; Portals \u0026gt; \u0026gt; Agent \u0026gt; \u0026gt; App \u0026gt; Allow user to disconnect GlobalProtect App \u0026gt; Allow with Passcode\u003cbr\u003e* Network \u0026gt; GlobalProtect \u0026gt; Portals \u0026gt; \u0026gt; Agent \u0026gt; \u0026gt; App \u0026gt; Allow User to Uninstall GlobalProtect App \u0026gt; Allow with Password"
}
],
"value": "Impacted systems are those on which any of the following features are enabled:\n* Network \u003e GlobalProtect \u003e Portals \u003e \u003e Agent \u003e \u003e App \u003e Allow User to Disable GlobalProtect App \u003e Allow with Passcode\n* Network \u003e GlobalProtect \u003e Portals \u003e \u003e Agent \u003e \u003e App \u003e Allow user to disconnect GlobalProtect App \u003e Allow with Passcode\n* Network \u003e GlobalProtect \u003e Portals \u003e \u003e Agent \u003e \u003e App \u003e Allow User to Uninstall GlobalProtect App \u003e Allow with Password"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Claudiu Pancotan"
}
],
"datePublic": "2024-09-11T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An information exposure vulnerability exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. After the password or passcode is known, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so."
}
],
"value": "An information exposure vulnerability exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. After the password or passcode is known, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\u003cbr\u003e"
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-383",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-383 Harvesting Information via API Event Monitoring"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T16:40:21.066Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"url": "https://security.paloaltonetworks.com/CVE-2024-8687"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in PAN-OS 8.1.25, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions. It is also fixed in Prisma Access 10.2.9 and all later Prisma Access versions. To maintain GlobalProtect app functionality for the vulnerable features, we released a corresponding software update for GlobalProtect app 5.1.12, GlobalProtect app 5.2.13, GlobalProtect app 6.0.7, GlobalProtect app 6.1.2, and GlobalProtect app 6.2.1, and all later GlobalProtect app versions.\u003cbr\u003e\u003cbr\u003eTo maintain the ability for end users to use the uninstall password feature and the disable or disconnect passcode feature, you must ensure that you upgrade all GlobalProtect app deployments to a fixed version before you upgrade your PAN-OS software to a fixed version.\u003cbr\u003e\u003cbr\u003eAll fixed versions of GlobalProtect are backwards compatible with vulnerable versions of PAN-OS software. However, fixed versions of PAN-OS software are not backwards compatible with vulnerable versions of GlobalProtect.\u003cbr\u003e\u003cbr\u003eYou can find additional information for PAN-204689 here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-0-known-and-addressed-issues/pan-os-11-1-0-known-issues\"\u003ehttps://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-0-known-and-addressed-issues/pan-os-11-1-0-known-issues\u003c/a\u003e\n\nPrisma Access customers can open a support case to request an upgrade.\u003cbr\u003e"
}
],
"value": "This issue is fixed in PAN-OS 8.1.25, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions. It is also fixed in Prisma Access 10.2.9 and all later Prisma Access versions. To maintain GlobalProtect app functionality for the vulnerable features, we released a corresponding software update for GlobalProtect app 5.1.12, GlobalProtect app 5.2.13, GlobalProtect app 6.0.7, GlobalProtect app 6.1.2, and GlobalProtect app 6.2.1, and all later GlobalProtect app versions.\n\nTo maintain the ability for end users to use the uninstall password feature and the disable or disconnect passcode feature, you must ensure that you upgrade all GlobalProtect app deployments to a fixed version before you upgrade your PAN-OS software to a fixed version.\n\nAll fixed versions of GlobalProtect are backwards compatible with vulnerable versions of PAN-OS software. However, fixed versions of PAN-OS software are not backwards compatible with vulnerable versions of GlobalProtect.\n\nYou can find additional information for PAN-204689 here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-0-known-and-addressed-issues/pan-os-11-1-0-known-issues \n\nPrisma Access customers can open a support case to request an upgrade."
}
],
"source": {
"defect": [
"PAN-204689",
"GPC-16848"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-09-11T16:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: Cleartext Exposure of GlobalProtect Portal Passcodes",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Change the following two settings (if enabled) to \"Allow with Ticket\":\u003cbr\u003e* Network \u0026gt; GlobalProtect \u0026gt; Portals \u0026gt; \u0026gt; Agent \u0026gt; \u0026gt; App \u0026gt; Allow User to Disable GlobalProtect App\u003cbr\u003e* Network \u0026gt; GlobalProtect \u0026gt; Portals \u0026gt; \u0026gt; Agent \u0026gt; \u0026gt; App \u0026gt; Allow user to disconnect GlobalProtect App\u003cbr\u003e\u003cbr\u003eChange the following setting (if enabled) to \"Disallow\":\u003cbr\u003e* Network \u0026gt; GlobalProtect \u0026gt; Portals \u0026gt; \u0026gt; Agent \u0026gt; \u0026gt; App \u0026gt; Allow User to Uninstall GlobalProtect App\u003cbr\u003e"
}
],
"value": "Change the following two settings (if enabled) to \"Allow with Ticket\":\n* Network \u003e GlobalProtect \u003e Portals \u003e \u003e Agent \u003e \u003e App \u003e Allow User to Disable GlobalProtect App\n* Network \u003e GlobalProtect \u003e Portals \u003e \u003e Agent \u003e \u003e App \u003e Allow user to disconnect GlobalProtect App\n\nChange the following setting (if enabled) to \"Disallow\":\n* Network \u003e GlobalProtect \u003e Portals \u003e \u003e Agent \u003e \u003e App \u003e Allow User to Uninstall GlobalProtect App"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2024-8687",
"datePublished": "2024-09-11T16:40:21.066Z",
"dateReserved": "2024-09-11T08:21:12.686Z",
"dateUpdated": "2024-09-11T18:25:14.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8688 (GCVE-0-2024-8688)
Vulnerability from – Published: 2024-09-11 16:40 – Updated: 2024-09-11 18:24
VLAI?
Title
PAN-OS: Arbitrary File Read Vulnerability in the Command Line Interface (CLI)
Summary
An improper neutralization of matching symbols vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables authenticated administrators (including read-only administrators) with access to the CLI to to read arbitrary files on the firewall.
Severity ?
CWE
- CWE-155 - Improper Neutralization of Wildcards or Matching Symbols
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Affected:
9.1.0 , < 9.1.15
(custom)
Affected: 10.0.0 , < 10.0.10 (custom) Affected: 10.1.0 , < 10.1.1 (custom) Unaffected: 10.2.0 Unaffected: 11.0.0 Unaffected: 11.1.0 Unaffected: 11.2.0 |
||||||||||||
|
||||||||||||||
Credits
Matei "Mal" Badanoiu of Deloitte
Martin Smid of Palo Alto Networks
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8688",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:23:35.134977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:24:45.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "9.1.15",
"status": "unaffected"
}
],
"lessThan": "9.1.15",
"status": "affected",
"version": "9.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.10",
"status": "unaffected"
}
],
"lessThan": "10.0.10",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.1",
"status": "unaffected"
}
],
"lessThan": "10.1.1",
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "10.2.0"
},
{
"status": "unaffected",
"version": "11.0.0"
},
{
"status": "unaffected",
"version": "11.1.0"
},
{
"status": "unaffected",
"version": "11.2.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matei \"Mal\" Badanoiu of Deloitte"
},
{
"lang": "en",
"type": "finder",
"value": "Martin Smid of Palo Alto Networks"
}
],
"datePublic": "2024-09-11T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of matching symbols vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables authenticated administrators (including read-only administrators) with access to the CLI to to read arbitrary files on the firewall."
}
],
"value": "An improper neutralization of matching symbols vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables authenticated administrators (including read-only administrators) with access to the CLI to to read arbitrary files on the firewall."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\u003cbr\u003e"
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-6",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-6 Argument Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-155",
"description": "CWE-155 Improper Neutralization of Wildcards or Matching Symbols",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T16:48:22.674Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"url": "https://security.paloaltonetworks.com/CVE-2024-8688"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in PAN-OS 9.1.15, PAN-OS 10.0.10, PAN-OS 10.1.1, and all later PAN-OS versions.\u003cbr\u003e"
}
],
"value": "This issue is fixed in PAN-OS 9.1.15, PAN-OS 10.0.10, PAN-OS 10.1.1, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-151792",
"PAN-82874"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-09-11T16:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: Arbitrary File Read Vulnerability in the Command Line Interface (CLI)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2024-8688",
"datePublished": "2024-09-11T16:40:50.806Z",
"dateReserved": "2024-09-11T08:21:13.753Z",
"dateUpdated": "2024-09-11T18:24:45.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8691 (GCVE-0-2024-8691)
Vulnerability from – Published: 2024-09-11 16:43 – Updated: 2024-09-11 18:19
VLAI?
Title
PAN-OS: User Impersonation in GlobalProtect Portal
Summary
A vulnerability in the GlobalProtect portal in Palo Alto Networks PAN-OS software enables a malicious authenticated GlobalProtect user to impersonate another GlobalProtect user. Active GlobalProtect users impersonated by an attacker who is exploiting this vulnerability are disconnected from GlobalProtect. Upon exploitation, PAN-OS logs indicate that the impersonated user authenticated to GlobalProtect, which hides the identity of the attacker.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Affected:
9.1.0 , < 9.1.17
(custom)
Affected: 10.1.0 , < 10.1.11 (custom) Unaffected: 10.2.0 Unaffected: 11.0.0 Unaffected: 11.1.0 Unaffected: 11.2.0 |
||||||||||||
|
||||||||||||||
Credits
Claudiu Pancotan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:19:33.436542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:19:46.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "9.1.17",
"status": "unaffected"
}
],
"lessThan": "9.1.17",
"status": "affected",
"version": "9.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.11",
"status": "unaffected"
}
],
"lessThan": "10.1.11",
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "10.2.0"
},
{
"status": "unaffected",
"version": "11.0.0"
},
{
"status": "unaffected",
"version": "11.1.0"
},
{
"status": "unaffected",
"version": "11.2.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Claudiu Pancotan"
}
],
"datePublic": "2024-09-11T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in the GlobalProtect portal in Palo Alto Networks PAN-OS software enables a malicious authenticated GlobalProtect user to impersonate another GlobalProtect user. Active GlobalProtect users impersonated by an attacker who is exploiting this vulnerability are disconnected from GlobalProtect. Upon exploitation, PAN-OS logs indicate that the impersonated user authenticated to GlobalProtect, which hides the identity of the attacker."
}
],
"value": "A vulnerability in the GlobalProtect portal in Palo Alto Networks PAN-OS software enables a malicious authenticated GlobalProtect user to impersonate another GlobalProtect user. Active GlobalProtect users impersonated by an attacker who is exploiting this vulnerability are disconnected from GlobalProtect. Upon exploitation, PAN-OS logs indicate that the impersonated user authenticated to GlobalProtect, which hides the identity of the attacker."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\u003cbr\u003e"
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-151",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-151 Identity Spoofing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/R:A/V:D/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T16:43:30.608Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"url": "https://security.paloaltonetworks.com/CVE-2024-8691"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in PAN-OS 9.1.17, PAN-OS 10.1.11, and all later PAN-OS versions.\u003cbr\u003e"
}
],
"value": "This issue is fixed in PAN-OS 9.1.17, PAN-OS 10.1.11, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-219031",
"PAN-192893"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-09-11T16:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: User Impersonation in GlobalProtect Portal",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2024-8691",
"datePublished": "2024-09-11T16:43:30.608Z",
"dateReserved": "2024-09-11T08:21:16.638Z",
"dateUpdated": "2024-09-11T18:19:46.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3385 (GCVE-0-2024-3385)
Vulnerability from – Published: 2024-04-10 17:06 – Updated: 2024-08-22 18:10
VLAI?
Title
PAN-OS: Firewall Denial of Service (DoS) when GTP Security is Disabled
Summary
A packet processing mechanism in Palo Alto Networks PAN-OS software enables a remote attacker to reboot hardware-based firewalls. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.
This affects the following hardware firewall models:
- PA-5400 Series firewalls
- PA-7000 Series firewalls
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Affected:
9.0.0 , < 9.0.17-h4
(custom)
Affected: 9.1.0 , < 9.1.17 (custom) Affected: 10.1.0 , < 10.1.12 (custom) Affected: 10.2.0 , < 10.2.8 (custom) Affected: 11.0.0 , < 11.0.3 (custom) Unaffected: 11.1.0 |
||||||||||||
|
||||||||||||||
Credits
Palo Alto Networks thanks an external reporter for discovering and reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:12:06.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2024-3385"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pan-os",
"vendor": "paloaltonetworks",
"versions": [
{
"lessThan": "9.0.17-h4",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
},
{
"lessThan": "9.1.17",
"status": "affected",
"version": "9.1.0",
"versionType": "custom"
},
{
"lessThan": "10.1.12",
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
},
{
"lessThan": "10.2.8",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"lessThan": "11.0.3",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "11.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:paloaltonetworks:cloud_ngfw:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cloud_ngfw",
"vendor": "paloaltonetworks",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:paloaltonetworks:prisma_access:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prisma_access",
"vendor": "paloaltonetworks",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-15T15:57:38.878804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T18:10:55.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "9.0.17-h4",
"status": "unaffected"
}
],
"lessThan": "9.0.17-h4",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.17",
"status": "unaffected"
}
],
"lessThan": "9.1.17",
"status": "affected",
"version": "9.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.12",
"status": "unaffected"
}
],
"lessThan": "10.1.12",
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.2.8",
"status": "unaffected"
}
],
"lessThan": "10.2.8",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.0.3",
"status": "unaffected"
}
],
"lessThan": "11.0.3",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "11.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This does not affect VM-Series firewalls, CN-Series firewalls, Cloud NGFWs, or Prisma Access.\n\nThis issue affects only PAN-OS configurations with GTP Security disabled. You should verify whether GTP Security is disabled by checking your firewall web interface (Device \u003e Setup \u003e Management \u003e General Settings) and take the appropriate actions as needed."
}
],
"value": "This does not affect VM-Series firewalls, CN-Series firewalls, Cloud NGFWs, or Prisma Access.\n\nThis issue affects only PAN-OS configurations with GTP Security disabled. You should verify whether GTP Security is disabled by checking your firewall web interface (Device \u003e Setup \u003e Management \u003e General Settings) and take the appropriate actions as needed."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Palo Alto Networks thanks an external reporter for discovering and reporting this issue."
}
],
"datePublic": "2024-04-10T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A packet processing mechanism in Palo Alto Networks PAN-OS software enables a remote attacker to reboot hardware-based firewalls. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.\n\nThis affects the following hardware firewall models:\n- PA-5400 Series firewalls\n- PA-7000 Series firewalls"
}
],
"value": "A packet processing mechanism in Palo Alto Networks PAN-OS software enables a remote attacker to reboot hardware-based firewalls. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.\n\nThis affects the following hardware firewall models:\n- PA-5400 Series firewalls\n- PA-7000 Series firewalls"
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue. This was encountered by two customers in normal production usage.\u003cbr\u003e"
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue. This was encountered by two customers in normal production usage.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T17:06:28.153Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"url": "https://security.paloaltonetworks.com/CVE-2024-3385"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.12, PAN-OS 10.2.8, PAN-OS 11.0.3, and all later PAN-OS versions.\u003cbr\u003e"
}
],
"value": "This issue is fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.12, PAN-OS 10.2.8, PAN-OS 11.0.3, and all later PAN-OS versions.\n"
}
],
"source": {
"defect": [
"PAN-221224"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-04-10T16:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: Firewall Denial of Service (DoS) when GTP Security is Disabled",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 94993 (introduced in Applications and Threats content version 8832).\u003cbr\u003e"
}
],
"value": "Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 94993 (introduced in Applications and Threats content version 8832).\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2024-3385",
"datePublished": "2024-04-10T17:06:28.153Z",
"dateReserved": "2024-04-05T17:40:18.347Z",
"dateUpdated": "2024-08-22T18:10:55.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2433 (GCVE-0-2024-2433)
Vulnerability from – Published: 2024-03-13 17:51 – Updated: 2024-08-12 18:54
VLAI?
Title
PAN-OS: Improper Privilege Management Vulnerability in Panorama Software Leads to Availability Loss
Summary
An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the disk partitions with those uploaded files, which prevents the ability to log into the web interface or to download PAN-OS, WildFire, and content images.
This issue affects only the web interface of the management plane; the dataplane is unaffected.
Severity ?
4.3 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Affected:
9.0 , < 9.0.17-h4
(custom)
Affected: 9.1 , < 9.1.17 (custom) Affected: 10.1 , < 10.1.12 (custom) Affected: 10.2 , < 10.2.8 (custom) Affected: 11.0 , < 11.0.3 (custom) Unaffected: 11.1 |
||||||||||||
|
||||||||||||||
Credits
Palo Alto Networks thanks Omar Eissa (https://de.linkedin.com/in/oeissa) for discovering and reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2024-2433"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pan-os",
"vendor": "paloaltonetworks",
"versions": [
{
"lessThan": "9.0.17-h4",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"lessThan": "9.1.17",
"status": "affected",
"version": "9.1",
"versionType": "custom"
},
{
"lessThan": "10.1.12",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"lessThan": "10.2.8",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "11.0.3",
"status": "affected",
"version": "11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pan-os",
"vendor": "paloaltonetworks",
"versions": [
{
"status": "unaffected",
"version": "11.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:paloaltonetworks:cloud_ngfw:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "cloud_ngfw",
"vendor": "paloaltonetworks",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:paloaltonetworks:prisma_access:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "prisma_access",
"vendor": "paloaltonetworks",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T19:59:46.619572Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T18:54:08.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Panorama"
],
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "9.0.17-h4",
"status": "unaffected"
}
],
"lessThan": "9.0.17-h4",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.17",
"status": "unaffected"
}
],
"lessThan": "9.1.17",
"status": "affected",
"version": "9.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.12",
"status": "unaffected"
}
],
"lessThan": "10.1.12",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.2.8",
"status": "unaffected"
}
],
"lessThan": "10.2.8",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.0.3",
"status": "unaffected"
}
],
"lessThan": "11.0.3",
"status": "affected",
"version": "11.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "11.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Palo Alto Networks thanks Omar Eissa (https://de.linkedin.com/in/oeissa) for discovering and reporting this issue."
}
],
"datePublic": "2024-03-13T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the disk partitions with those uploaded files, which prevents the ability to log into the web interface or to download PAN-OS, WildFire, and content images. \u003cbr\u003e\u003cbr\u003e\n\nThis issue affects only the web interface of the management plane; the dataplane is unaffected.\u003cbr\u003e"
}
],
"value": "An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the disk partitions with those uploaded files, which prevents the ability to log into the web interface or to download PAN-OS, WildFire, and content images. \n\n\n\nThis issue affects only the web interface of the management plane; the dataplane is unaffected.\n"
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\u003cbr\u003e"
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-13T17:51:45.578Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"url": "https://security.paloaltonetworks.com/CVE-2024-2433"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in Panorama on PAN-OS 9.0.17-h4, PAN-OS 9.1.18, PAN-OS 10.1.12, PAN-OS 10.2.11, PAN-OS 11.0.4, and all later PAN-OS versions.\u003cbr\u003e"
}
],
"value": "This issue is fixed in Panorama on PAN-OS 9.0.17-h4, PAN-OS 9.1.18, PAN-OS 10.1.12, PAN-OS 10.2.11, PAN-OS 11.0.4, and all later PAN-OS versions.\n"
}
],
"source": {
"defect": [
"PAN-181876",
"PAN-218663"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-03-13T16:00:00.000Z",
"value": "Initial publication"
}
],
"title": "PAN-OS: Improper Privilege Management Vulnerability in Panorama Software Leads to Availability Loss",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the effect of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/best-practices\"\u003ehttps://docs.paloaltonetworks.com/best-practices\u003c/a\u003e.\u003cbr\u003e"
}
],
"value": "This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the effect of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices .\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2024-2433",
"datePublished": "2024-03-13T17:51:45.578Z",
"dateReserved": "2024-03-13T16:19:27.817Z",
"dateUpdated": "2024-08-12T18:54:08.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
displaying 51 - 60 organizations in total 76