Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2021-AVI-865
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Palo Alto Networks PAN-OS. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une élévation de privilèges.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Palo Alto Networks | PAN-OS | PAN-OS versions 10.0 antérieures à 10.0.8-h4 | ||
| Palo Alto Networks | PAN-OS | PAN-OS versions 10.1 antérieures à 10.1.3 | ||
| Palo Alto Networks | PAN-OS | PAN-OS versions 9.1 antérieures à 9.1.11-h3 | ||
| Palo Alto Networks | PAN-OS | PAN-OS versions 9.0 antérieures à 9.0.14-h4 | ||
| Palo Alto Networks | PAN-OS | PAN-OS versions 8.1 antérieures à 8.1.21 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "PAN-OS versions 10.0 ant\u00e9rieures \u00e0 10.0.8-h4",
"product": {
"name": "PAN-OS",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "PAN-OS versions 10.1 ant\u00e9rieures \u00e0 10.1.3",
"product": {
"name": "PAN-OS",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "PAN-OS versions 9.1 ant\u00e9rieures \u00e0 9.1.11-h3",
"product": {
"name": "PAN-OS",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "PAN-OS versions 9.0 ant\u00e9rieures \u00e0 9.0.14-h4",
"product": {
"name": "PAN-OS",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "PAN-OS versions 8.1 ant\u00e9rieures \u00e0 8.1.21",
"product": {
"name": "PAN-OS",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-3063",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3063"
},
{
"name": "CVE-2021-3056",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3056"
},
{
"name": "CVE-2021-3062",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3062"
},
{
"name": "CVE-2021-3064",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3064"
},
{
"name": "CVE-2021-3058",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3058"
},
{
"name": "CVE-2021-3059",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3059"
},
{
"name": "CVE-2021-3061",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3061"
},
{
"name": "CVE-2021-3060",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3060"
}
],
"initial_release_date": "2021-11-12T00:00:00",
"last_revision_date": "2021-11-12T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-865",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-11-12T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Palo Alto Networks\nPAN-OS. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une\n\u00e9l\u00e9vation de privil\u00e8ges.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Palo Alto Networks PAN-OS",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2021-3064 du 10 novembre 2021",
"url": "https://security.paloaltonetworks.com/CVE-2021-3064"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2021-3062 du 10 novembre 2021",
"url": "https://security.paloaltonetworks.com/CVE-2021-3062"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2021-3058 du 10 novembre 2021",
"url": "https://security.paloaltonetworks.com/CVE-2021-3058"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2021-3056 du 10 novembre 2021",
"url": "https://security.paloaltonetworks.com/CVE-2021-3056"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2021-3061 du 10 novembre 2021",
"url": "https://security.paloaltonetworks.com/CVE-2021-3061"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2021-3060 du 10 novembre 2021",
"url": "https://security.paloaltonetworks.com/CVE-2021-3060"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2021-3059 du 10 novembre 2021",
"url": "https://security.paloaltonetworks.com/CVE-2021-3059"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2021-3063 du 10 novembre 2021",
"url": "https://security.paloaltonetworks.com/CVE-2021-3063"
}
]
}
CVE-2021-3064 (GCVE-0-2021-3064)
Vulnerability from cvelistv5
Published
2021-11-10 17:10
Modified
2024-09-17 03:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Version: 8.1 < 8.1.17 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.363Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3064"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "9.0.*"
},
{
"status": "unaffected",
"version": "9.1.*"
},
{
"status": "unaffected",
"version": "10.0.*"
},
{
"status": "unaffected",
"version": "10.1.*"
},
{
"changes": [
{
"at": "8.1.17",
"status": "unaffected"
}
],
"lessThan": "8.1.17",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
},
{
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "2.2 all"
},
{
"status": "unaffected",
"version": "2.1 all"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in \u0027Network \u003e GlobalProtect \u003e Portals\u0027 and in \u0027Network \u003e GlobalProtect \u003e Gateways\u0027 from the web interface."
}
],
"credits": [
{
"lang": "en",
"value": "Palo Alto Networks thanks the Randori Attack Team (https://twitter.com/RandoriAttack) for discovering and reporting this issue."
}
],
"datePublic": "2021-11-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue."
}
],
"exploits": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-10T17:10:30",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3064"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.17 and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-96528"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"title": "PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces",
"workarounds": [
{
"lang": "en",
"value": "Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces to block attacks against CVE-2021-3064.\n\nIt is not necessary to enable SSL decryption to detect and block attacks against this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2021-11-10T17:00:00.000Z",
"ID": "CVE-2021-3064",
"STATE": "PUBLIC",
"TITLE": "PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.17"
},
{
"version_affected": "!\u003e=",
"version_name": "8.1",
"version_value": "8.1.17"
},
{
"version_affected": "!",
"version_name": "9.0",
"version_value": "9.0.*"
},
{
"version_affected": "!",
"version_name": "9.1",
"version_value": "9.1.*"
},
{
"version_affected": "!",
"version_name": "10.0",
"version_value": "10.0.*"
},
{
"version_affected": "!",
"version_name": "10.1",
"version_value": "10.1.*"
}
]
}
},
{
"product_name": "Prisma Access",
"version": {
"version_data": [
{
"version_affected": "!",
"version_name": "2.2",
"version_value": "all"
},
{
"version_affected": "!",
"version_name": "2.1",
"version_value": "all"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in \u0027Network \u003e GlobalProtect \u003e Portals\u0027 and in \u0027Network \u003e GlobalProtect \u003e Gateways\u0027 from the web interface."
}
],
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks the Randori Attack Team (https://twitter.com/RandoriAttack) for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.paloaltonetworks.com/CVE-2021-3064",
"refsource": "MISC",
"url": "https://security.paloaltonetworks.com/CVE-2021-3064"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.17 and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-96528"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "en",
"value": "Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces to block attacks against CVE-2021-3064.\n\nIt is not necessary to enable SSL decryption to detect and block attacks against this issue."
}
],
"x_advisoryEoL": false,
"x_affectedList": [
"PAN-OS 8.1.16",
"PAN-OS 8.1.15-h3",
"PAN-OS 8.1.15-h2",
"PAN-OS 8.1.15-h1",
"PAN-OS 8.1.15",
"PAN-OS 8.1.14-h2",
"PAN-OS 8.1.14-h1",
"PAN-OS 8.1.14",
"PAN-OS 8.1.13",
"PAN-OS 8.1.12",
"PAN-OS 8.1.11",
"PAN-OS 8.1.10",
"PAN-OS 8.1.9-h4",
"PAN-OS 8.1.9-h3",
"PAN-OS 8.1.9-h2",
"PAN-OS 8.1.9-h1",
"PAN-OS 8.1.9",
"PAN-OS 8.1.8-h5",
"PAN-OS 8.1.8-h4",
"PAN-OS 8.1.8-h3",
"PAN-OS 8.1.8-h2",
"PAN-OS 8.1.8-h1",
"PAN-OS 8.1.8",
"PAN-OS 8.1.7",
"PAN-OS 8.1.6-h2",
"PAN-OS 8.1.6-h1",
"PAN-OS 8.1.6",
"PAN-OS 8.1.5",
"PAN-OS 8.1.4",
"PAN-OS 8.1.3",
"PAN-OS 8.1.2",
"PAN-OS 8.1.1",
"PAN-OS 8.1.0",
"PAN-OS 8.1"
],
"x_likelyAffectedList": [
"PAN-OS 8.0.20",
"PAN-OS 8.0.19-h1",
"PAN-OS 8.0.19",
"PAN-OS 8.0.18",
"PAN-OS 8.0.17",
"PAN-OS 8.0.16",
"PAN-OS 8.0.15",
"PAN-OS 8.0.14",
"PAN-OS 8.0.13",
"PAN-OS 8.0.12",
"PAN-OS 8.0.11-h1",
"PAN-OS 8.0.10",
"PAN-OS 8.0.9",
"PAN-OS 8.0.8",
"PAN-OS 8.0.7",
"PAN-OS 8.0.6-h3",
"PAN-OS 8.0.6-h2",
"PAN-OS 8.0.6-h1",
"PAN-OS 8.0.6",
"PAN-OS 8.0.5",
"PAN-OS 8.0.4",
"PAN-OS 8.0.3-h4",
"PAN-OS 8.0.3-h3",
"PAN-OS 8.0.3-h2",
"PAN-OS 8.0.3-h1",
"PAN-OS 8.0.3",
"PAN-OS 8.0.2",
"PAN-OS 8.0.1",
"PAN-OS 8.0.0",
"PAN-OS 8.0",
"PAN-OS 7.1.26",
"PAN-OS 7.1.25",
"PAN-OS 7.1.24-h1",
"PAN-OS 7.1.24",
"PAN-OS 7.1.23",
"PAN-OS 7.1.22",
"PAN-OS 7.1.21",
"PAN-OS 7.1.20",
"PAN-OS 7.1.19",
"PAN-OS 7.1.18",
"PAN-OS 7.1.17",
"PAN-OS 7.1.16",
"PAN-OS 7.1.15",
"PAN-OS 7.1.14",
"PAN-OS 7.1.13",
"PAN-OS 7.1.12",
"PAN-OS 7.1.11",
"PAN-OS 7.1.10",
"PAN-OS 7.1.9-h4",
"PAN-OS 7.1.9-h3",
"PAN-OS 7.1.9-h2",
"PAN-OS 7.1.9-h1",
"PAN-OS 7.1.9",
"PAN-OS 7.1.8",
"PAN-OS 7.1.7",
"PAN-OS 7.1.6",
"PAN-OS 7.1.5",
"PAN-OS 7.1.4-h2",
"PAN-OS 7.1.4-h1",
"PAN-OS 7.1.4",
"PAN-OS 7.1.3",
"PAN-OS 7.1.2",
"PAN-OS 7.1.1",
"PAN-OS 7.1.0",
"PAN-OS 7.1"
]
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2021-3064",
"datePublished": "2021-11-10T17:10:31.046205Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-17T03:28:39.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3062 (GCVE-0-2021-3062)
Vulnerability from cvelistv5
Published
2021-11-10 17:10
Modified
2024-09-17 02:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls. Prisma Access customers are not impacted by this issue.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Version: 9.1 < 9.1.11 Version: 8.1 < 8.1.20 Version: 9.0 < 9.0.14 Version: 10.0 < 10.0.8 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3062"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"VM-Series"
],
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "10.1.*"
},
{
"changes": [
{
"at": "9.1.11",
"status": "unaffected"
}
],
"lessThan": "9.1.11",
"status": "affected",
"version": "9.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "8.1.20",
"status": "unaffected"
}
],
"lessThan": "8.1.20",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.0.14",
"status": "unaffected"
}
],
"lessThan": "9.0.14",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.8",
"status": "unaffected"
}
],
"lessThan": "10.0.8",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
},
{
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "2.1 all"
},
{
"status": "unaffected",
"version": "2.2 all"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in \u0027Network \u003e GlobalProtect \u003e Portals\u0027 and in \u0027Network \u003e GlobalProtect \u003e Gateways\u0027 on the web interface."
}
],
"credits": [
{
"lang": "en",
"value": "Palo Alto Networks thanks Matthew Flanagan of Computer Systems Australia (CSA) for discovering and reporting this issue."
}
],
"datePublic": "2021-11-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls. Prisma Access customers are not impacted by this issue."
}
],
"exploits": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-10T17:10:27",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3062"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.11, PAN-OS 10.0.8, and all later PAN-OS versions"
}
],
"source": {
"defect": [
"PAN-164422"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"title": "PAN-OS: Improper Access Control Vulnerability Exposing AWS Instance Metadata Endpoint to GlobalProtect Users",
"workarounds": [
{
"lang": "en",
"value": "There are no known workarounds for this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2021-11-10T17:00:00.000Z",
"ID": "CVE-2021-3062",
"STATE": "PUBLIC",
"TITLE": "PAN-OS: Improper Access Control Vulnerability Exposing AWS Instance Metadata Endpoint to GlobalProtect Users"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"platform": "VM-Series",
"version_affected": "\u003c",
"version_name": "9.1",
"version_value": "9.1.11"
},
{
"platform": "VM-Series",
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.20"
},
{
"platform": "VM-Series",
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.14"
},
{
"platform": "VM-Series",
"version_affected": "!\u003e=",
"version_name": "9.1",
"version_value": "9.1.11"
},
{
"platform": "VM-Series",
"version_affected": "!\u003e=",
"version_name": "8.1",
"version_value": "8.1.20"
},
{
"platform": "VM-Series",
"version_affected": "!\u003e=",
"version_name": "9.0",
"version_value": "9.0.14"
},
{
"platform": "VM-Series",
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"platform": "VM-Series",
"version_affected": "!\u003e=",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"platform": "VM-Series",
"version_affected": "!",
"version_name": "10.1",
"version_value": "10.1.*"
}
]
}
},
{
"product_name": "Prisma Access",
"version": {
"version_data": [
{
"version_affected": "!",
"version_name": "2.1",
"version_value": "all"
},
{
"version_affected": "!",
"version_name": "2.2",
"version_value": "all"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in \u0027Network \u003e GlobalProtect \u003e Portals\u0027 and in \u0027Network \u003e GlobalProtect \u003e Gateways\u0027 on the web interface."
}
],
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks Matthew Flanagan of Computer Systems Australia (CSA) for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls. Prisma Access customers are not impacted by this issue."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.paloaltonetworks.com/CVE-2021-3062",
"refsource": "MISC",
"url": "https://security.paloaltonetworks.com/CVE-2021-3062"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.11, PAN-OS 10.0.8, and all later PAN-OS versions"
}
],
"source": {
"defect": [
"PAN-164422"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "en",
"value": "There are no known workarounds for this issue."
}
],
"x_advisoryEoL": false,
"x_affectedList": [
"PAN-OS 10.0.7",
"PAN-OS 10.0.6",
"PAN-OS 10.0.5",
"PAN-OS 10.0.4",
"PAN-OS 10.0.3",
"PAN-OS 10.0.2",
"PAN-OS 10.0.1",
"PAN-OS 10.0.0",
"PAN-OS 10.0",
"PAN-OS 9.1.10",
"PAN-OS 9.1.9",
"PAN-OS 9.1.8",
"PAN-OS 9.1.7",
"PAN-OS 9.1.6",
"PAN-OS 9.1.5",
"PAN-OS 9.1.4",
"PAN-OS 9.1.3-h1",
"PAN-OS 9.1.3",
"PAN-OS 9.1.2-h1",
"PAN-OS 9.1.2",
"PAN-OS 9.1.1",
"PAN-OS 9.1.0-h3",
"PAN-OS 9.1.0-h2",
"PAN-OS 9.1.0-h1",
"PAN-OS 9.1.0",
"PAN-OS 9.1",
"PAN-OS 9.0.13",
"PAN-OS 9.0.12",
"PAN-OS 9.0.11",
"PAN-OS 9.0.10",
"PAN-OS 9.0.9-h1",
"PAN-OS 9.0.9",
"PAN-OS 9.0.8",
"PAN-OS 9.0.7",
"PAN-OS 9.0.6",
"PAN-OS 9.0.5",
"PAN-OS 9.0.4",
"PAN-OS 9.0.3-h3",
"PAN-OS 9.0.3-h2",
"PAN-OS 9.0.3-h1",
"PAN-OS 9.0.3",
"PAN-OS 9.0.2-h4",
"PAN-OS 9.0.2-h3",
"PAN-OS 9.0.2-h2",
"PAN-OS 9.0.2-h1",
"PAN-OS 9.0.2",
"PAN-OS 9.0.1",
"PAN-OS 9.0.0",
"PAN-OS 9.0",
"PAN-OS 8.1.19",
"PAN-OS 8.1.18",
"PAN-OS 8.1.17",
"PAN-OS 8.1.16",
"PAN-OS 8.1.15-h3",
"PAN-OS 8.1.15-h2",
"PAN-OS 8.1.15-h1",
"PAN-OS 8.1.15",
"PAN-OS 8.1.14-h2",
"PAN-OS 8.1.14-h1",
"PAN-OS 8.1.14",
"PAN-OS 8.1.13",
"PAN-OS 8.1.12",
"PAN-OS 8.1.11",
"PAN-OS 8.1.10",
"PAN-OS 8.1.9-h4",
"PAN-OS 8.1.9-h3",
"PAN-OS 8.1.9-h2",
"PAN-OS 8.1.9-h1",
"PAN-OS 8.1.9",
"PAN-OS 8.1.8-h5",
"PAN-OS 8.1.8-h4",
"PAN-OS 8.1.8-h3",
"PAN-OS 8.1.8-h2",
"PAN-OS 8.1.8-h1",
"PAN-OS 8.1.8",
"PAN-OS 8.1.7",
"PAN-OS 8.1.6-h2",
"PAN-OS 8.1.6-h1",
"PAN-OS 8.1.6",
"PAN-OS 8.1.5",
"PAN-OS 8.1.4",
"PAN-OS 8.1.3",
"PAN-OS 8.1.2",
"PAN-OS 8.1.1",
"PAN-OS 8.1.0",
"PAN-OS 8.1"
],
"x_likelyAffectedList": [
"PAN-OS 8.0.20",
"PAN-OS 8.0.19-h1",
"PAN-OS 8.0.19",
"PAN-OS 8.0.18",
"PAN-OS 8.0.17",
"PAN-OS 8.0.16",
"PAN-OS 8.0.15",
"PAN-OS 8.0.14",
"PAN-OS 8.0.13",
"PAN-OS 8.0.12",
"PAN-OS 8.0.11-h1",
"PAN-OS 8.0.10",
"PAN-OS 8.0.9",
"PAN-OS 8.0.8",
"PAN-OS 8.0.7",
"PAN-OS 8.0.6-h3",
"PAN-OS 8.0.6-h2",
"PAN-OS 8.0.6-h1",
"PAN-OS 8.0.6",
"PAN-OS 8.0.5",
"PAN-OS 8.0.4",
"PAN-OS 8.0.3-h4",
"PAN-OS 8.0.3-h3",
"PAN-OS 8.0.3-h2",
"PAN-OS 8.0.3-h1",
"PAN-OS 8.0.3",
"PAN-OS 8.0.2",
"PAN-OS 8.0.1",
"PAN-OS 8.0.0",
"PAN-OS 8.0",
"PAN-OS 7.1.26",
"PAN-OS 7.1.25",
"PAN-OS 7.1.24-h1",
"PAN-OS 7.1.24",
"PAN-OS 7.1.23",
"PAN-OS 7.1.22",
"PAN-OS 7.1.21",
"PAN-OS 7.1.20",
"PAN-OS 7.1.19",
"PAN-OS 7.1.18",
"PAN-OS 7.1.17",
"PAN-OS 7.1.16",
"PAN-OS 7.1.15",
"PAN-OS 7.1.14",
"PAN-OS 7.1.13",
"PAN-OS 7.1.12",
"PAN-OS 7.1.11",
"PAN-OS 7.1.10",
"PAN-OS 7.1.9-h4",
"PAN-OS 7.1.9-h3",
"PAN-OS 7.1.9-h2",
"PAN-OS 7.1.9-h1",
"PAN-OS 7.1.9",
"PAN-OS 7.1.8",
"PAN-OS 7.1.7",
"PAN-OS 7.1.6",
"PAN-OS 7.1.5",
"PAN-OS 7.1.4-h2",
"PAN-OS 7.1.4-h1",
"PAN-OS 7.1.4",
"PAN-OS 7.1.3",
"PAN-OS 7.1.2",
"PAN-OS 7.1.1",
"PAN-OS 7.1.0",
"PAN-OS 7.1"
]
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2021-3062",
"datePublished": "2021-11-10T17:10:27.900906Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-17T02:42:53.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3061 (GCVE-0-2021-3061)
Vulnerability from cvelistv5
Published
2021-11-10 17:10
Modified
2024-09-16 17:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - OS Command Injection
Summary
An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 firewalls are impacted by this issue.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Version: 8.1 < 8.1.20-h1 Version: 9.0 < 9.0.14-h3 Version: 10.0 < 10.0.8 Version: 10.1 < 10.1.3 Version: 9.1 < 9.1.11-h2 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.381Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3061"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "8.1.20-h1",
"status": "unaffected"
}
],
"lessThan": "8.1.20-h1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.0.14-h3",
"status": "unaffected"
}
],
"lessThan": "9.0.14-h3",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.8",
"status": "unaffected"
}
],
"lessThan": "10.0.8",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.3",
"status": "unaffected"
}
],
"lessThan": "10.1.3",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.11-h2",
"status": "unaffected"
}
],
"lessThan": "9.1.11-h2",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "2.2 all"
},
{
"status": "affected",
"version": "2.1 Preferred"
},
{
"status": "affected",
"version": "2.1 Innovation"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Palo Alto Networks thanks CJ, an external security researcher, and Ben Nott from Palo Alto Networks for discovering and reporting this issue."
}
],
"datePublic": "2021-11-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 firewalls are impacted by this issue."
}
],
"exploits": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-10T17:10:26",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3061"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.\n\nThis issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions."
}
],
"source": {
"defect": [
"PAN-176655",
"PAN-158334"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"title": "PAN-OS: OS Command Injection Vulnerability in the Command Line Interface (CLI)",
"workarounds": [
{
"lang": "en",
"value": "This issue requires the attacker to have authenticated access to the PAN-OS CLI. You can mitigate the impact of this issue by following best practices for securing PAN-OS software. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2021-11-10T17:00:00.000Z",
"ID": "CVE-2021-3061",
"STATE": "PUBLIC",
"TITLE": "PAN-OS: OS Command Injection Vulnerability in the Command Line Interface (CLI)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.20-h1"
},
{
"version_affected": "!\u003e=",
"version_name": "8.1",
"version_value": "8.1.20-h1"
},
{
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.14-h3"
},
{
"version_affected": "!\u003e=",
"version_name": "9.0",
"version_value": "9.0.14-h3"
},
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "!\u003e=",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "!\u003e=",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "\u003c",
"version_name": "9.1",
"version_value": "9.1.11-h2"
},
{
"version_affected": "!\u003e=",
"version_name": "9.1",
"version_value": "9.1.11-h2"
}
]
}
},
{
"product_name": "Prisma Access",
"version": {
"version_data": [
{
"version_affected": "!",
"version_name": "2.2",
"version_value": "all"
},
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "Preferred"
},
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "Innovation"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks CJ, an external security researcher, and Ben Nott from Palo Alto Networks for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 firewalls are impacted by this issue."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.paloaltonetworks.com/CVE-2021-3061",
"refsource": "MISC",
"url": "https://security.paloaltonetworks.com/CVE-2021-3061"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.\n\nThis issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions."
}
],
"source": {
"defect": [
"PAN-176655",
"PAN-158334"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "en",
"value": "This issue requires the attacker to have authenticated access to the PAN-OS CLI. You can mitigate the impact of this issue by following best practices for securing PAN-OS software. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices."
}
],
"x_advisoryEoL": false,
"x_affectedList": [
"Prisma Access 2.1",
"PAN-OS 10.1.2",
"PAN-OS 10.1.1",
"PAN-OS 10.1.0",
"PAN-OS 10.1",
"PAN-OS 10.0.7",
"PAN-OS 10.0.6",
"PAN-OS 10.0.5",
"PAN-OS 10.0.4",
"PAN-OS 10.0.3",
"PAN-OS 10.0.2",
"PAN-OS 10.0.1",
"PAN-OS 10.0.0",
"PAN-OS 10.0",
"PAN-OS 9.1.11-h1",
"PAN-OS 9.1.11",
"PAN-OS 9.1.10",
"PAN-OS 9.1.9",
"PAN-OS 9.1.8",
"PAN-OS 9.1.7",
"PAN-OS 9.1.6",
"PAN-OS 9.1.5",
"PAN-OS 9.1.4",
"PAN-OS 9.1.3-h1",
"PAN-OS 9.1.3",
"PAN-OS 9.1.2-h1",
"PAN-OS 9.1.2",
"PAN-OS 9.1.1",
"PAN-OS 9.1.0-h3",
"PAN-OS 9.1.0-h2",
"PAN-OS 9.1.0-h1",
"PAN-OS 9.1.0",
"PAN-OS 9.1",
"PAN-OS 9.0.14-h2",
"PAN-OS 9.0.14-h1",
"PAN-OS 9.0.14",
"PAN-OS 9.0.13",
"PAN-OS 9.0.12",
"PAN-OS 9.0.11",
"PAN-OS 9.0.10",
"PAN-OS 9.0.9-h1",
"PAN-OS 9.0.9",
"PAN-OS 9.0.8",
"PAN-OS 9.0.7",
"PAN-OS 9.0.6",
"PAN-OS 9.0.5",
"PAN-OS 9.0.4",
"PAN-OS 9.0.3-h3",
"PAN-OS 9.0.3-h2",
"PAN-OS 9.0.3-h1",
"PAN-OS 9.0.3",
"PAN-OS 9.0.2-h4",
"PAN-OS 9.0.2-h3",
"PAN-OS 9.0.2-h2",
"PAN-OS 9.0.2-h1",
"PAN-OS 9.0.2",
"PAN-OS 9.0.1",
"PAN-OS 9.0.0",
"PAN-OS 9.0",
"PAN-OS 8.1.20",
"PAN-OS 8.1.19",
"PAN-OS 8.1.18",
"PAN-OS 8.1.17",
"PAN-OS 8.1.16",
"PAN-OS 8.1.15-h3",
"PAN-OS 8.1.15-h2",
"PAN-OS 8.1.15-h1",
"PAN-OS 8.1.15",
"PAN-OS 8.1.14-h2",
"PAN-OS 8.1.14-h1",
"PAN-OS 8.1.14",
"PAN-OS 8.1.13",
"PAN-OS 8.1.12",
"PAN-OS 8.1.11",
"PAN-OS 8.1.10",
"PAN-OS 8.1.9-h4",
"PAN-OS 8.1.9-h3",
"PAN-OS 8.1.9-h2",
"PAN-OS 8.1.9-h1",
"PAN-OS 8.1.9",
"PAN-OS 8.1.8-h5",
"PAN-OS 8.1.8-h4",
"PAN-OS 8.1.8-h3",
"PAN-OS 8.1.8-h2",
"PAN-OS 8.1.8-h1",
"PAN-OS 8.1.8",
"PAN-OS 8.1.7",
"PAN-OS 8.1.6-h2",
"PAN-OS 8.1.6-h1",
"PAN-OS 8.1.6",
"PAN-OS 8.1.5",
"PAN-OS 8.1.4",
"PAN-OS 8.1.3",
"PAN-OS 8.1.2",
"PAN-OS 8.1.1",
"PAN-OS 8.1.0",
"PAN-OS 8.1"
],
"x_likelyAffectedList": [
"PAN-OS 8.0.20",
"PAN-OS 8.0.19-h1",
"PAN-OS 8.0.19",
"PAN-OS 8.0.18",
"PAN-OS 8.0.17",
"PAN-OS 8.0.16",
"PAN-OS 8.0.15",
"PAN-OS 8.0.14",
"PAN-OS 8.0.13",
"PAN-OS 8.0.12",
"PAN-OS 8.0.11-h1",
"PAN-OS 8.0.10",
"PAN-OS 8.0.9",
"PAN-OS 8.0.8",
"PAN-OS 8.0.7",
"PAN-OS 8.0.6-h3",
"PAN-OS 8.0.6-h2",
"PAN-OS 8.0.6-h1",
"PAN-OS 8.0.6",
"PAN-OS 8.0.5",
"PAN-OS 8.0.4",
"PAN-OS 8.0.3-h4",
"PAN-OS 8.0.3-h3",
"PAN-OS 8.0.3-h2",
"PAN-OS 8.0.3-h1",
"PAN-OS 8.0.3",
"PAN-OS 8.0.2",
"PAN-OS 8.0.1",
"PAN-OS 8.0.0",
"PAN-OS 8.0",
"PAN-OS 7.1.26",
"PAN-OS 7.1.25",
"PAN-OS 7.1.24-h1",
"PAN-OS 7.1.24",
"PAN-OS 7.1.23",
"PAN-OS 7.1.22",
"PAN-OS 7.1.21",
"PAN-OS 7.1.20",
"PAN-OS 7.1.19",
"PAN-OS 7.1.18",
"PAN-OS 7.1.17",
"PAN-OS 7.1.16",
"PAN-OS 7.1.15",
"PAN-OS 7.1.14",
"PAN-OS 7.1.13",
"PAN-OS 7.1.12",
"PAN-OS 7.1.11",
"PAN-OS 7.1.10",
"PAN-OS 7.1.9-h4",
"PAN-OS 7.1.9-h3",
"PAN-OS 7.1.9-h2",
"PAN-OS 7.1.9-h1",
"PAN-OS 7.1.9",
"PAN-OS 7.1.8",
"PAN-OS 7.1.7",
"PAN-OS 7.1.6",
"PAN-OS 7.1.5",
"PAN-OS 7.1.4-h2",
"PAN-OS 7.1.4-h1",
"PAN-OS 7.1.4",
"PAN-OS 7.1.3",
"PAN-OS 7.1.2",
"PAN-OS 7.1.1",
"PAN-OS 7.1.0",
"PAN-OS 7.1"
]
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2021-3061",
"datePublished": "2021-11-10T17:10:26.316382Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T17:49:25.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3063 (GCVE-0-2021-3063)
Vulnerability from cvelistv5
Published
2021-11-10 17:10
Modified
2024-09-16 20:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Summary
An improper handling of exceptional conditions vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to send specifically crafted traffic to a GlobalProtect interface that causes the service to stop responding. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.21; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h4; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8-h4; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers are not impacted by this issue.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Version: 8.1 < 8.1.21 Version: 9.0 < 9.0.14-h4 Version: 10.0 < 10.0.8-h4 Version: 10.1 < 10.1.3 Version: 9.1 < 9.1.11-h3 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3063"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "8.1.21",
"status": "unaffected"
}
],
"lessThan": "8.1.21",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.0.14-h4",
"status": "unaffected"
}
],
"lessThan": "9.0.14-h4",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.8-h4",
"status": "unaffected"
}
],
"lessThan": "10.0.8-h4",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.3",
"status": "unaffected"
}
],
"lessThan": "10.1.3",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.11-h3",
"status": "unaffected"
}
],
"lessThan": "9.1.11-h3",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "2.2 all"
},
{
"status": "unaffected",
"version": "2.1 all"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in \u0027Network \u003e GlobalProtect \u003e Portals\u0027 and in \u0027Network \u003e GlobalProtect \u003e Gateways\u0027 from the web interface."
}
],
"credits": [
{
"lang": "en",
"value": "This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review."
}
],
"datePublic": "2021-11-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An improper handling of exceptional conditions vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to send specifically crafted traffic to a GlobalProtect interface that causes the service to stop responding. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.21; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h4; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8-h4; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers are not impacted by this issue."
}
],
"exploits": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-10T17:10:29",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3063"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.21, PAN-OS 9.0.14-h4, PAN-OS 9.1.11-h3, PAN-OS 10.0.8-h4, PAN-OS 10.1.3, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-180032"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"title": "PAN-OS: Denial-of-Service (DoS) Vulnerability in GlobalProtect Portal and Gateway Interfaces",
"workarounds": [
{
"lang": "en",
"value": "Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect interfaces to block attacks against CVE-2021-3063."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2021-11-10T17:00:00.000Z",
"ID": "CVE-2021-3063",
"STATE": "PUBLIC",
"TITLE": "PAN-OS: Denial-of-Service (DoS) Vulnerability in GlobalProtect Portal and Gateway Interfaces"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.21"
},
{
"version_affected": "!\u003e=",
"version_name": "8.1",
"version_value": "8.1.21"
},
{
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.14-h4"
},
{
"version_affected": "!\u003e=",
"version_name": "9.0",
"version_value": "9.0.14-h4"
},
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.8-h4"
},
{
"version_affected": "!\u003e=",
"version_name": "10.0",
"version_value": "10.0.8-h4"
},
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "!\u003e=",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "\u003c",
"version_name": "9.1",
"version_value": "9.1.11-h3"
},
{
"version_affected": "!\u003e=",
"version_name": "9.1",
"version_value": "9.1.11-h3"
}
]
}
},
{
"product_name": "Prisma Access",
"version": {
"version_data": [
{
"version_affected": "!",
"version_name": "2.2",
"version_value": "all"
},
{
"version_affected": "!",
"version_name": "2.1",
"version_value": "all"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in \u0027Network \u003e GlobalProtect \u003e Portals\u0027 and in \u0027Network \u003e GlobalProtect \u003e Gateways\u0027 from the web interface."
}
],
"credit": [
{
"lang": "eng",
"value": "This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper handling of exceptional conditions vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to send specifically crafted traffic to a GlobalProtect interface that causes the service to stop responding. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.21; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h4; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8-h4; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers are not impacted by this issue."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-755 Improper Handling of Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.paloaltonetworks.com/CVE-2021-3063",
"refsource": "MISC",
"url": "https://security.paloaltonetworks.com/CVE-2021-3063"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.21, PAN-OS 9.0.14-h4, PAN-OS 9.1.11-h3, PAN-OS 10.0.8-h4, PAN-OS 10.1.3, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-180032"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "en",
"value": "Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect interfaces to block attacks against CVE-2021-3063."
}
],
"x_advisoryEoL": false,
"x_affectedList": [
"Prisma Access 2.2",
"Prisma Access 2.1",
"PAN-OS 10.1.2",
"PAN-OS 10.1.1",
"PAN-OS 10.1.0",
"PAN-OS 10.1",
"PAN-OS 10.0.8-h2",
"PAN-OS 10.0.8-h1",
"PAN-OS 10.0.8",
"PAN-OS 10.0.7",
"PAN-OS 10.0.6",
"PAN-OS 10.0.5",
"PAN-OS 10.0.4",
"PAN-OS 10.0.3",
"PAN-OS 10.0.2",
"PAN-OS 10.0.1",
"PAN-OS 10.0.0",
"PAN-OS 10.0",
"PAN-OS 9.1.11-h2",
"PAN-OS 9.1.11-h1",
"PAN-OS 9.1.11",
"PAN-OS 9.1.10",
"PAN-OS 9.1.9",
"PAN-OS 9.1.8",
"PAN-OS 9.1.7",
"PAN-OS 9.1.6",
"PAN-OS 9.1.5",
"PAN-OS 9.1.4",
"PAN-OS 9.1.3-h1",
"PAN-OS 9.1.3",
"PAN-OS 9.1.2-h1",
"PAN-OS 9.1.2",
"PAN-OS 9.1.1",
"PAN-OS 9.1.0-h3",
"PAN-OS 9.1.0-h2",
"PAN-OS 9.1.0-h1",
"PAN-OS 9.1.0",
"PAN-OS 9.1",
"PAN-OS 9.0.14-h3",
"PAN-OS 9.0.14-h2",
"PAN-OS 9.0.14-h1",
"PAN-OS 9.0.14",
"PAN-OS 9.0.13",
"PAN-OS 9.0.12",
"PAN-OS 9.0.11",
"PAN-OS 9.0.10",
"PAN-OS 9.0.9-h1",
"PAN-OS 9.0.9",
"PAN-OS 9.0.8",
"PAN-OS 9.0.7",
"PAN-OS 9.0.6",
"PAN-OS 9.0.5",
"PAN-OS 9.0.4",
"PAN-OS 9.0.3-h3",
"PAN-OS 9.0.3-h2",
"PAN-OS 9.0.3-h1",
"PAN-OS 9.0.3",
"PAN-OS 9.0.2-h4",
"PAN-OS 9.0.2-h3",
"PAN-OS 9.0.2-h2",
"PAN-OS 9.0.2-h1",
"PAN-OS 9.0.2",
"PAN-OS 9.0.1",
"PAN-OS 9.0.0",
"PAN-OS 9.0",
"PAN-OS 8.1.20-h1",
"PAN-OS 8.1.20",
"PAN-OS 8.1.19",
"PAN-OS 8.1.18",
"PAN-OS 8.1.17",
"PAN-OS 8.1.16",
"PAN-OS 8.1.15-h3",
"PAN-OS 8.1.15-h2",
"PAN-OS 8.1.15-h1",
"PAN-OS 8.1.15",
"PAN-OS 8.1.14-h2",
"PAN-OS 8.1.14-h1",
"PAN-OS 8.1.14",
"PAN-OS 8.1.13",
"PAN-OS 8.1.12",
"PAN-OS 8.1.11",
"PAN-OS 8.1.10",
"PAN-OS 8.1.9-h4",
"PAN-OS 8.1.9-h3",
"PAN-OS 8.1.9-h2",
"PAN-OS 8.1.9-h1",
"PAN-OS 8.1.9",
"PAN-OS 8.1.8-h5",
"PAN-OS 8.1.8-h4",
"PAN-OS 8.1.8-h3",
"PAN-OS 8.1.8-h2",
"PAN-OS 8.1.8-h1",
"PAN-OS 8.1.8",
"PAN-OS 8.1.7",
"PAN-OS 8.1.6-h2",
"PAN-OS 8.1.6-h1",
"PAN-OS 8.1.6",
"PAN-OS 8.1.5",
"PAN-OS 8.1.4",
"PAN-OS 8.1.3",
"PAN-OS 8.1.2",
"PAN-OS 8.1.1",
"PAN-OS 8.1.0",
"PAN-OS 8.1"
],
"x_likelyAffectedList": [
"PAN-OS 8.0.20",
"PAN-OS 8.0.19-h1",
"PAN-OS 8.0.19",
"PAN-OS 8.0.18",
"PAN-OS 8.0.17",
"PAN-OS 8.0.16",
"PAN-OS 8.0.15",
"PAN-OS 8.0.14",
"PAN-OS 8.0.13",
"PAN-OS 8.0.12",
"PAN-OS 8.0.11-h1",
"PAN-OS 8.0.10",
"PAN-OS 8.0.9",
"PAN-OS 8.0.8",
"PAN-OS 8.0.7",
"PAN-OS 8.0.6-h3",
"PAN-OS 8.0.6-h2",
"PAN-OS 8.0.6-h1",
"PAN-OS 8.0.6",
"PAN-OS 8.0.5",
"PAN-OS 8.0.4",
"PAN-OS 8.0.3-h4",
"PAN-OS 8.0.3-h3",
"PAN-OS 8.0.3-h2",
"PAN-OS 8.0.3-h1",
"PAN-OS 8.0.3",
"PAN-OS 8.0.2",
"PAN-OS 8.0.1",
"PAN-OS 8.0.0",
"PAN-OS 8.0",
"PAN-OS 7.1.26",
"PAN-OS 7.1.25",
"PAN-OS 7.1.24-h1",
"PAN-OS 7.1.24",
"PAN-OS 7.1.23",
"PAN-OS 7.1.22",
"PAN-OS 7.1.21",
"PAN-OS 7.1.20",
"PAN-OS 7.1.19",
"PAN-OS 7.1.18",
"PAN-OS 7.1.17",
"PAN-OS 7.1.16",
"PAN-OS 7.1.15",
"PAN-OS 7.1.14",
"PAN-OS 7.1.13",
"PAN-OS 7.1.12",
"PAN-OS 7.1.11",
"PAN-OS 7.1.10",
"PAN-OS 7.1.9-h4",
"PAN-OS 7.1.9-h3",
"PAN-OS 7.1.9-h2",
"PAN-OS 7.1.9-h1",
"PAN-OS 7.1.9",
"PAN-OS 7.1.8",
"PAN-OS 7.1.7",
"PAN-OS 7.1.6",
"PAN-OS 7.1.5",
"PAN-OS 7.1.4-h2",
"PAN-OS 7.1.4-h1",
"PAN-OS 7.1.4",
"PAN-OS 7.1.3",
"PAN-OS 7.1.2",
"PAN-OS 7.1.1",
"PAN-OS 7.1.0",
"PAN-OS 7.1"
]
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2021-3063",
"datePublished": "2021-11-10T17:10:29.461099Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T20:26:42.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3059 (GCVE-0-2021-3059)
Vulnerability from cvelistv5
Published
2021-11-10 17:10
Modified
2024-09-16 17:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - OS Command Injection
Summary
An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Version: 10.0 < 10.0.8 Version: 10.1 < 10.1.3 Version: 8.1 < 8.1.20-h1 Version: 9.0 < 9.0.14-h3 Version: 9.1 < 9.1.11-h2 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.098Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3059"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "10.0.8",
"status": "unaffected"
}
],
"lessThan": "10.0.8",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.3",
"status": "unaffected"
}
],
"lessThan": "10.1.3",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "8.1.20-h1",
"status": "unaffected"
}
],
"lessThan": "8.1.20-h1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.0.14-h3",
"status": "unaffected"
}
],
"lessThan": "9.0.14-h3",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.11-h2",
"status": "unaffected"
}
],
"lessThan": "9.1.11-h2",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "affected",
"version": "2.1 Innovation"
},
{
"status": "affected",
"version": "2.1 Preferred"
},
{
"lessThan": "2.2*",
"status": "unaffected",
"version": "all",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "This issue is applicable only to PAN-OS firewall configurations that receive dynamic updates. You can verify that your firewall receives dynamic updates at \u2018Device Deployment \u003e Dynamic Updates\u0027 in the web interface."
}
],
"credits": [
{
"lang": "en",
"value": "Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue."
}
],
"datePublic": "2021-11-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue."
}
],
"exploits": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-10T17:10:23",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3059"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions."
},
{
"lang": "en",
"value": "This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions."
}
],
"source": {
"defect": [
"PAN-176618"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"title": "PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates",
"workarounds": [
{
"lang": "en",
"value": "You can disable scheduled dynamic updates for the firewall at \u0027Device Deployment \u003e Dynamic Updates\u0027 in the web interface. Choosing not to receive dynamic updates will minimize your exposure to this vulnerability until you upgrade the PAN-OS firewall to a fixed version."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2021-11-10T17:00:00.000Z",
"ID": "CVE-2021-3059",
"STATE": "PUBLIC",
"TITLE": "PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "!\u003e=",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "!\u003e=",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.20-h1"
},
{
"version_affected": "!\u003e=",
"version_name": "8.1",
"version_value": "8.1.20-h1"
},
{
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.14-h3"
},
{
"version_affected": "!\u003e=",
"version_name": "9.0",
"version_value": "9.0.14-h3"
},
{
"version_affected": "\u003c",
"version_name": "9.1",
"version_value": "9.1.11-h2"
},
{
"version_affected": "!\u003e=",
"version_name": "9.1",
"version_value": "9.1.11-h2"
}
]
}
},
{
"product_name": "Prisma Access",
"version": {
"version_data": [
{
"version_affected": "!\u003e=",
"version_name": "2.2",
"version_value": "all"
},
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "Innovation"
},
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "Preferred"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "This issue is applicable only to PAN-OS firewall configurations that receive dynamic updates. You can verify that your firewall receives dynamic updates at \u2018Device Deployment \u003e Dynamic Updates\u0027 in the web interface."
}
],
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.paloaltonetworks.com/CVE-2021-3059",
"refsource": "MISC",
"url": "https://security.paloaltonetworks.com/CVE-2021-3059"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions."
},
{
"lang": "en",
"value": "This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions."
}
],
"source": {
"defect": [
"PAN-176618"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "en",
"value": "You can disable scheduled dynamic updates for the firewall at \u0027Device Deployment \u003e Dynamic Updates\u0027 in the web interface. Choosing not to receive dynamic updates will minimize your exposure to this vulnerability until you upgrade the PAN-OS firewall to a fixed version."
}
],
"x_advisoryEoL": false,
"x_affectedList": [
"Prisma Access 2.1",
"PAN-OS 10.1.2",
"PAN-OS 10.1.1",
"PAN-OS 10.1.0",
"PAN-OS 10.1",
"PAN-OS 10.0.7",
"PAN-OS 10.0.6",
"PAN-OS 10.0.5",
"PAN-OS 10.0.4",
"PAN-OS 10.0.3",
"PAN-OS 10.0.2",
"PAN-OS 10.0.1",
"PAN-OS 10.0.0",
"PAN-OS 10.0",
"PAN-OS 9.1.11-h1",
"PAN-OS 9.1.11",
"PAN-OS 9.1.10",
"PAN-OS 9.1.9",
"PAN-OS 9.1.8",
"PAN-OS 9.1.7",
"PAN-OS 9.1.6",
"PAN-OS 9.1.5",
"PAN-OS 9.1.4",
"PAN-OS 9.1.3-h1",
"PAN-OS 9.1.3",
"PAN-OS 9.1.2-h1",
"PAN-OS 9.1.2",
"PAN-OS 9.1.1",
"PAN-OS 9.1.0-h3",
"PAN-OS 9.1.0-h2",
"PAN-OS 9.1.0-h1",
"PAN-OS 9.1.0",
"PAN-OS 9.1",
"PAN-OS 9.0.14-h2",
"PAN-OS 9.0.14-h1",
"PAN-OS 9.0.14",
"PAN-OS 9.0.13",
"PAN-OS 9.0.12",
"PAN-OS 9.0.11",
"PAN-OS 9.0.10",
"PAN-OS 9.0.9-h1",
"PAN-OS 9.0.9",
"PAN-OS 9.0.8",
"PAN-OS 9.0.7",
"PAN-OS 9.0.6",
"PAN-OS 9.0.5",
"PAN-OS 9.0.4",
"PAN-OS 9.0.3-h3",
"PAN-OS 9.0.3-h2",
"PAN-OS 9.0.3-h1",
"PAN-OS 9.0.3",
"PAN-OS 9.0.2-h4",
"PAN-OS 9.0.2-h3",
"PAN-OS 9.0.2-h2",
"PAN-OS 9.0.2-h1",
"PAN-OS 9.0.2",
"PAN-OS 9.0.1",
"PAN-OS 9.0.0",
"PAN-OS 9.0",
"PAN-OS 8.1.20",
"PAN-OS 8.1.19",
"PAN-OS 8.1.18",
"PAN-OS 8.1.17",
"PAN-OS 8.1.16",
"PAN-OS 8.1.15-h3",
"PAN-OS 8.1.15-h2",
"PAN-OS 8.1.15-h1",
"PAN-OS 8.1.15",
"PAN-OS 8.1.14-h2",
"PAN-OS 8.1.14-h1",
"PAN-OS 8.1.14",
"PAN-OS 8.1.13",
"PAN-OS 8.1.12",
"PAN-OS 8.1.11",
"PAN-OS 8.1.10",
"PAN-OS 8.1.9-h4",
"PAN-OS 8.1.9-h3",
"PAN-OS 8.1.9-h2",
"PAN-OS 8.1.9-h1",
"PAN-OS 8.1.9",
"PAN-OS 8.1.8-h5",
"PAN-OS 8.1.8-h4",
"PAN-OS 8.1.8-h3",
"PAN-OS 8.1.8-h2",
"PAN-OS 8.1.8-h1",
"PAN-OS 8.1.8",
"PAN-OS 8.1.7",
"PAN-OS 8.1.6-h2",
"PAN-OS 8.1.6-h1",
"PAN-OS 8.1.6",
"PAN-OS 8.1.5",
"PAN-OS 8.1.4",
"PAN-OS 8.1.3",
"PAN-OS 8.1.2",
"PAN-OS 8.1.1",
"PAN-OS 8.1.0",
"PAN-OS 8.1"
],
"x_likelyAffectedList": [
"PAN-OS 8.0.20",
"PAN-OS 8.0.19-h1",
"PAN-OS 8.0.19",
"PAN-OS 8.0.18",
"PAN-OS 8.0.17",
"PAN-OS 8.0.16",
"PAN-OS 8.0.15",
"PAN-OS 8.0.14",
"PAN-OS 8.0.13",
"PAN-OS 8.0.12",
"PAN-OS 8.0.11-h1",
"PAN-OS 8.0.10",
"PAN-OS 8.0.9",
"PAN-OS 8.0.8",
"PAN-OS 8.0.7",
"PAN-OS 8.0.6-h3",
"PAN-OS 8.0.6-h2",
"PAN-OS 8.0.6-h1",
"PAN-OS 8.0.6",
"PAN-OS 8.0.5",
"PAN-OS 8.0.4",
"PAN-OS 8.0.3-h4",
"PAN-OS 8.0.3-h3",
"PAN-OS 8.0.3-h2",
"PAN-OS 8.0.3-h1",
"PAN-OS 8.0.3",
"PAN-OS 8.0.2",
"PAN-OS 8.0.1",
"PAN-OS 8.0.0",
"PAN-OS 8.0",
"PAN-OS 7.1.26",
"PAN-OS 7.1.25",
"PAN-OS 7.1.24-h1",
"PAN-OS 7.1.24",
"PAN-OS 7.1.23",
"PAN-OS 7.1.22",
"PAN-OS 7.1.21",
"PAN-OS 7.1.20",
"PAN-OS 7.1.19",
"PAN-OS 7.1.18",
"PAN-OS 7.1.17",
"PAN-OS 7.1.16",
"PAN-OS 7.1.15",
"PAN-OS 7.1.14",
"PAN-OS 7.1.13",
"PAN-OS 7.1.12",
"PAN-OS 7.1.11",
"PAN-OS 7.1.10",
"PAN-OS 7.1.9-h4",
"PAN-OS 7.1.9-h3",
"PAN-OS 7.1.9-h2",
"PAN-OS 7.1.9-h1",
"PAN-OS 7.1.9",
"PAN-OS 7.1.8",
"PAN-OS 7.1.7",
"PAN-OS 7.1.6",
"PAN-OS 7.1.5",
"PAN-OS 7.1.4-h2",
"PAN-OS 7.1.4-h1",
"PAN-OS 7.1.4",
"PAN-OS 7.1.3",
"PAN-OS 7.1.2",
"PAN-OS 7.1.1",
"PAN-OS 7.1.0",
"PAN-OS 7.1"
]
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2021-3059",
"datePublished": "2021-11-10T17:10:23.093770Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T17:03:16.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3056 (GCVE-0-2021-3056)
Vulnerability from cvelistv5
Published
2021-11-10 17:10
Modified
2024-09-16 20:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-120 - Buffer Overflow
Summary
A memory corruption vulnerability in Palo Alto Networks PAN-OS GlobalProtect Clientless VPN enables an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. Prisma Access customers with Prisma Access 2.1 Preferred firewalls are impacted by this issue.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Version: 9.0 < 9.0.14 Version: 8.1 < 8.1.20 Version: 9.1 < 9.1.9 Version: 10.0 < 10.0.1 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3056"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "10.1.*"
},
{
"changes": [
{
"at": "9.0.14",
"status": "unaffected"
}
],
"lessThan": "9.0.14",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "8.1.20",
"status": "unaffected"
}
],
"lessThan": "8.1.20",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.9",
"status": "unaffected"
}
],
"lessThan": "9.1.9",
"status": "affected",
"version": "9.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.1",
"status": "unaffected"
}
],
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
},
{
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "2.2 all"
},
{
"status": "affected",
"version": "2.1 Preferred"
},
{
"status": "unaffected",
"version": "2.1 Innovation"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "This issue is applicable only to PAN-OS firewall configurations with the Clientless VPN feature and SAML authentication enabled for GlobalProtect Portal."
}
],
"credits": [
{
"lang": "en",
"value": "This issue was found by Nicholas Newsom of Palo Alto Networks during an internal security review."
}
],
"datePublic": "2021-11-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A memory corruption vulnerability in Palo Alto Networks PAN-OS GlobalProtect Clientless VPN enables an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. Prisma Access customers with Prisma Access 2.1 Preferred firewalls are impacted by this issue."
}
],
"exploits": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-10T17:10:19",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3056"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.9, PAN-OS 10.0.1, and all later PAN-OS versions.\n\nThis issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions."
}
],
"source": {
"defect": [
"PAN-149501"
],
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"title": "PAN-OS: Memory Corruption Vulnerability in GlobalProtect Clientless VPN During SAML Authentication",
"workarounds": [
{
"lang": "en",
"value": "Enable signatures for Unique Threat ID 91585 on traffic processed by the firewall to block attacks against CVE-2021-3056."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2021-11-10T17:00:00.000Z",
"ID": "CVE-2021-3056",
"STATE": "PUBLIC",
"TITLE": "PAN-OS: Memory Corruption Vulnerability in GlobalProtect Clientless VPN During SAML Authentication"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.14"
},
{
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.20"
},
{
"version_affected": "\u003c",
"version_name": "9.1",
"version_value": "9.1.9"
},
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.1"
},
{
"version_affected": "!\u003e=",
"version_name": "9.0",
"version_value": "9.0.14"
},
{
"version_affected": "!\u003e=",
"version_name": "8.1",
"version_value": "8.1.20"
},
{
"version_affected": "!\u003e=",
"version_name": "9.1",
"version_value": "9.1.9"
},
{
"version_affected": "!\u003e=",
"version_name": "10.0",
"version_value": "10.0.1"
},
{
"version_affected": "!",
"version_name": "10.1",
"version_value": "10.1.*"
}
]
}
},
{
"product_name": "Prisma Access",
"version": {
"version_data": [
{
"version_affected": "!",
"version_name": "2.2",
"version_value": "all"
},
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "Preferred"
},
{
"version_affected": "!",
"version_name": "2.1",
"version_value": "Innovation"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "This issue is applicable only to PAN-OS firewall configurations with the Clientless VPN feature and SAML authentication enabled for GlobalProtect Portal."
}
],
"credit": [
{
"lang": "eng",
"value": "This issue was found by Nicholas Newsom of Palo Alto Networks during an internal security review."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A memory corruption vulnerability in Palo Alto Networks PAN-OS GlobalProtect Clientless VPN enables an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. Prisma Access customers with Prisma Access 2.1 Preferred firewalls are impacted by this issue."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-120 Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.paloaltonetworks.com/CVE-2021-3056",
"refsource": "MISC",
"url": "https://security.paloaltonetworks.com/CVE-2021-3056"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.9, PAN-OS 10.0.1, and all later PAN-OS versions.\n\nThis issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions."
}
],
"source": {
"defect": [
"PAN-149501"
],
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "en",
"value": "Enable signatures for Unique Threat ID 91585 on traffic processed by the firewall to block attacks against CVE-2021-3056."
}
],
"x_advisoryEoL": false,
"x_affectedList": [
"Prisma Access 2.1",
"PAN-OS 10.0.0",
"PAN-OS 10.0",
"PAN-OS 9.1.8",
"PAN-OS 9.1.7",
"PAN-OS 9.1.6",
"PAN-OS 9.1.5",
"PAN-OS 9.1.4",
"PAN-OS 9.1.3-h1",
"PAN-OS 9.1.3",
"PAN-OS 9.1.2-h1",
"PAN-OS 9.1.2",
"PAN-OS 9.1.1",
"PAN-OS 9.1.0-h3",
"PAN-OS 9.1.0-h2",
"PAN-OS 9.1.0-h1",
"PAN-OS 9.1.0",
"PAN-OS 9.1",
"PAN-OS 9.0.13",
"PAN-OS 9.0.12",
"PAN-OS 9.0.11",
"PAN-OS 9.0.10",
"PAN-OS 9.0.9-h1",
"PAN-OS 9.0.9",
"PAN-OS 9.0.8",
"PAN-OS 9.0.7",
"PAN-OS 9.0.6",
"PAN-OS 9.0.5",
"PAN-OS 9.0.4",
"PAN-OS 9.0.3-h3",
"PAN-OS 9.0.3-h2",
"PAN-OS 9.0.3-h1",
"PAN-OS 9.0.3",
"PAN-OS 9.0.2-h4",
"PAN-OS 9.0.2-h3",
"PAN-OS 9.0.2-h2",
"PAN-OS 9.0.2-h1",
"PAN-OS 9.0.2",
"PAN-OS 9.0.1",
"PAN-OS 9.0.0",
"PAN-OS 9.0",
"PAN-OS 8.1.19",
"PAN-OS 8.1.18",
"PAN-OS 8.1.17",
"PAN-OS 8.1.16",
"PAN-OS 8.1.15-h3",
"PAN-OS 8.1.15-h2",
"PAN-OS 8.1.15-h1",
"PAN-OS 8.1.15",
"PAN-OS 8.1.14-h2",
"PAN-OS 8.1.14-h1",
"PAN-OS 8.1.14",
"PAN-OS 8.1.13",
"PAN-OS 8.1.12",
"PAN-OS 8.1.11",
"PAN-OS 8.1.10",
"PAN-OS 8.1.9-h4",
"PAN-OS 8.1.9-h3",
"PAN-OS 8.1.9-h2",
"PAN-OS 8.1.9-h1",
"PAN-OS 8.1.9",
"PAN-OS 8.1.8-h5",
"PAN-OS 8.1.8-h4",
"PAN-OS 8.1.8-h3",
"PAN-OS 8.1.8-h2",
"PAN-OS 8.1.8-h1",
"PAN-OS 8.1.8",
"PAN-OS 8.1.7",
"PAN-OS 8.1.6-h2",
"PAN-OS 8.1.6-h1",
"PAN-OS 8.1.6",
"PAN-OS 8.1.5",
"PAN-OS 8.1.4",
"PAN-OS 8.1.3",
"PAN-OS 8.1.2",
"PAN-OS 8.1.1",
"PAN-OS 8.1.0",
"PAN-OS 8.1"
],
"x_likelyAffectedList": [
"PAN-OS 8.0.20",
"PAN-OS 8.0.19-h1",
"PAN-OS 8.0.19",
"PAN-OS 8.0.18",
"PAN-OS 8.0.17",
"PAN-OS 8.0.16",
"PAN-OS 8.0.15",
"PAN-OS 8.0.14",
"PAN-OS 8.0.13",
"PAN-OS 8.0.12",
"PAN-OS 8.0.11-h1",
"PAN-OS 8.0.10",
"PAN-OS 8.0.9",
"PAN-OS 8.0.8",
"PAN-OS 8.0.7",
"PAN-OS 8.0.6-h3",
"PAN-OS 8.0.6-h2",
"PAN-OS 8.0.6-h1",
"PAN-OS 8.0.6",
"PAN-OS 8.0.5",
"PAN-OS 8.0.4",
"PAN-OS 8.0.3-h4",
"PAN-OS 8.0.3-h3",
"PAN-OS 8.0.3-h2",
"PAN-OS 8.0.3-h1",
"PAN-OS 8.0.3",
"PAN-OS 8.0.2",
"PAN-OS 8.0.1",
"PAN-OS 8.0.0",
"PAN-OS 8.0",
"PAN-OS 7.1.26",
"PAN-OS 7.1.25",
"PAN-OS 7.1.24-h1",
"PAN-OS 7.1.24",
"PAN-OS 7.1.23",
"PAN-OS 7.1.22",
"PAN-OS 7.1.21",
"PAN-OS 7.1.20",
"PAN-OS 7.1.19",
"PAN-OS 7.1.18",
"PAN-OS 7.1.17",
"PAN-OS 7.1.16",
"PAN-OS 7.1.15",
"PAN-OS 7.1.14",
"PAN-OS 7.1.13",
"PAN-OS 7.1.12",
"PAN-OS 7.1.11",
"PAN-OS 7.1.10",
"PAN-OS 7.1.9-h4",
"PAN-OS 7.1.9-h3",
"PAN-OS 7.1.9-h2",
"PAN-OS 7.1.9-h1",
"PAN-OS 7.1.9",
"PAN-OS 7.1.8",
"PAN-OS 7.1.7",
"PAN-OS 7.1.6",
"PAN-OS 7.1.5",
"PAN-OS 7.1.4-h2",
"PAN-OS 7.1.4-h1",
"PAN-OS 7.1.4",
"PAN-OS 7.1.3",
"PAN-OS 7.1.2",
"PAN-OS 7.1.1",
"PAN-OS 7.1.0",
"PAN-OS 7.1"
]
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2021-3056",
"datePublished": "2021-11-10T17:10:20.024857Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T20:36:56.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3058 (GCVE-0-2021-3058)
Vulnerability from cvelistv5
Published
2021-11-10 17:10
Modified
2024-09-16 22:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - OS Command Injection
Summary
An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permissions to use XML API the ability to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. This issue does not impact Prisma Access firewalls.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Version: 10.1 < 10.1.3 Version: 9.0 < 9.0.14-h3 Version: 8.1 < 8.1.20-h1 Version: 9.1 < 9.1.11-h2 Version: 10.0 < 10.0.8 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:50.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3058"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "10.1.3",
"status": "unaffected"
}
],
"lessThan": "10.1.3",
"status": "affected",
"version": "10.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.0.14-h3",
"status": "unaffected"
}
],
"lessThan": "9.0.14-h3",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "8.1.20-h1",
"status": "unaffected"
}
],
"lessThan": "8.1.20-h1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.11-h2",
"status": "unaffected"
}
],
"lessThan": "9.1.11-h2",
"status": "affected",
"version": "9.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.8",
"status": "unaffected"
}
],
"lessThan": "10.0.8",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
},
{
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "2.1 all"
},
{
"status": "unaffected",
"version": "2.2 all"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "This vulnerability is only applicable to PAN-OS firewalls configured to use the XML API."
}
],
"credits": [
{
"lang": "en",
"value": "Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue."
}
],
"datePublic": "2021-11-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permissions to use XML API the ability to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. This issue does not impact Prisma Access firewalls."
}
],
"exploits": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-10T17:10:21",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3058"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-176653"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"title": "PAN-OS: OS Command Injection Vulnerability in Web Interface XML API",
"workarounds": [
{
"lang": "en",
"value": "Enable signatures for Unique Threat ID 91715 on traffic processed by the firewall to block attacks against CVE-2021-3058.\n\nThis issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following best practices for securing the PAN-OS web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2021-11-10T17:00:00.000Z",
"ID": "CVE-2021-3058",
"STATE": "PUBLIC",
"TITLE": "PAN-OS: OS Command Injection Vulnerability in Web Interface XML API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "!\u003e=",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.14-h3"
},
{
"version_affected": "!\u003e=",
"version_name": "9.0",
"version_value": "9.0.14-h3"
},
{
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.20-h1"
},
{
"version_affected": "!\u003e=",
"version_name": "8.1",
"version_value": "8.1.20-h1"
},
{
"version_affected": "\u003c",
"version_name": "9.1",
"version_value": "9.1.11-h2"
},
{
"version_affected": "!\u003e=",
"version_name": "9.1",
"version_value": "9.1.11-h2"
},
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "!\u003e=",
"version_name": "10.0",
"version_value": "10.0.8"
}
]
}
},
{
"product_name": "Prisma Access",
"version": {
"version_data": [
{
"version_affected": "!",
"version_name": "2.1",
"version_value": "all"
},
{
"version_affected": "!",
"version_name": "2.2",
"version_value": "all"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "This vulnerability is only applicable to PAN-OS firewalls configured to use the XML API."
}
],
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permissions to use XML API the ability to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. This issue does not impact Prisma Access firewalls."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.paloaltonetworks.com/CVE-2021-3058",
"refsource": "MISC",
"url": "https://security.paloaltonetworks.com/CVE-2021-3058"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-176653"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "en",
"value": "Enable signatures for Unique Threat ID 91715 on traffic processed by the firewall to block attacks against CVE-2021-3058.\n\nThis issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following best practices for securing the PAN-OS web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices."
}
],
"x_advisoryEoL": false,
"x_affectedList": [
"PAN-OS 10.1.2",
"PAN-OS 10.1.1",
"PAN-OS 10.1.0",
"PAN-OS 10.1",
"PAN-OS 10.0.7",
"PAN-OS 10.0.6",
"PAN-OS 10.0.5",
"PAN-OS 10.0.4",
"PAN-OS 10.0.3",
"PAN-OS 10.0.2",
"PAN-OS 10.0.1",
"PAN-OS 10.0.0",
"PAN-OS 10.0",
"PAN-OS 9.1.11-h1",
"PAN-OS 9.1.11",
"PAN-OS 9.1.10",
"PAN-OS 9.1.9",
"PAN-OS 9.1.8",
"PAN-OS 9.1.7",
"PAN-OS 9.1.6",
"PAN-OS 9.1.5",
"PAN-OS 9.1.4",
"PAN-OS 9.1.3-h1",
"PAN-OS 9.1.3",
"PAN-OS 9.1.2-h1",
"PAN-OS 9.1.2",
"PAN-OS 9.1.1",
"PAN-OS 9.1.0-h3",
"PAN-OS 9.1.0-h2",
"PAN-OS 9.1.0-h1",
"PAN-OS 9.1.0",
"PAN-OS 9.1",
"PAN-OS 9.0.14-h2",
"PAN-OS 9.0.14-h1",
"PAN-OS 9.0.14",
"PAN-OS 9.0.13",
"PAN-OS 9.0.12",
"PAN-OS 9.0.11",
"PAN-OS 9.0.10",
"PAN-OS 9.0.9-h1",
"PAN-OS 9.0.9",
"PAN-OS 9.0.8",
"PAN-OS 9.0.7",
"PAN-OS 9.0.6",
"PAN-OS 9.0.5",
"PAN-OS 9.0.4",
"PAN-OS 9.0.3-h3",
"PAN-OS 9.0.3-h2",
"PAN-OS 9.0.3-h1",
"PAN-OS 9.0.3",
"PAN-OS 9.0.2-h4",
"PAN-OS 9.0.2-h3",
"PAN-OS 9.0.2-h2",
"PAN-OS 9.0.2-h1",
"PAN-OS 9.0.2",
"PAN-OS 9.0.1",
"PAN-OS 9.0.0",
"PAN-OS 9.0",
"PAN-OS 8.1.20",
"PAN-OS 8.1.19",
"PAN-OS 8.1.18",
"PAN-OS 8.1.17",
"PAN-OS 8.1.16",
"PAN-OS 8.1.15-h3",
"PAN-OS 8.1.15-h2",
"PAN-OS 8.1.15-h1",
"PAN-OS 8.1.15",
"PAN-OS 8.1.14-h2",
"PAN-OS 8.1.14-h1",
"PAN-OS 8.1.14",
"PAN-OS 8.1.13",
"PAN-OS 8.1.12",
"PAN-OS 8.1.11",
"PAN-OS 8.1.10",
"PAN-OS 8.1.9-h4",
"PAN-OS 8.1.9-h3",
"PAN-OS 8.1.9-h2",
"PAN-OS 8.1.9-h1",
"PAN-OS 8.1.9",
"PAN-OS 8.1.8-h5",
"PAN-OS 8.1.8-h4",
"PAN-OS 8.1.8-h3",
"PAN-OS 8.1.8-h2",
"PAN-OS 8.1.8-h1",
"PAN-OS 8.1.8",
"PAN-OS 8.1.7",
"PAN-OS 8.1.6-h2",
"PAN-OS 8.1.6-h1",
"PAN-OS 8.1.6",
"PAN-OS 8.1.5",
"PAN-OS 8.1.4",
"PAN-OS 8.1.3",
"PAN-OS 8.1.2",
"PAN-OS 8.1.1",
"PAN-OS 8.1.0",
"PAN-OS 8.1"
],
"x_likelyAffectedList": [
"PAN-OS 8.0.20",
"PAN-OS 8.0.19-h1",
"PAN-OS 8.0.19",
"PAN-OS 8.0.18",
"PAN-OS 8.0.17",
"PAN-OS 8.0.16",
"PAN-OS 8.0.15",
"PAN-OS 8.0.14",
"PAN-OS 8.0.13",
"PAN-OS 8.0.12",
"PAN-OS 8.0.11-h1",
"PAN-OS 8.0.10",
"PAN-OS 8.0.9",
"PAN-OS 8.0.8",
"PAN-OS 8.0.7",
"PAN-OS 8.0.6-h3",
"PAN-OS 8.0.6-h2",
"PAN-OS 8.0.6-h1",
"PAN-OS 8.0.6",
"PAN-OS 8.0.5",
"PAN-OS 8.0.4",
"PAN-OS 8.0.3-h4",
"PAN-OS 8.0.3-h3",
"PAN-OS 8.0.3-h2",
"PAN-OS 8.0.3-h1",
"PAN-OS 8.0.3",
"PAN-OS 8.0.2",
"PAN-OS 8.0.1",
"PAN-OS 8.0.0",
"PAN-OS 8.0",
"PAN-OS 7.1.26",
"PAN-OS 7.1.25",
"PAN-OS 7.1.24-h1",
"PAN-OS 7.1.24",
"PAN-OS 7.1.23",
"PAN-OS 7.1.22",
"PAN-OS 7.1.21",
"PAN-OS 7.1.20",
"PAN-OS 7.1.19",
"PAN-OS 7.1.18",
"PAN-OS 7.1.17",
"PAN-OS 7.1.16",
"PAN-OS 7.1.15",
"PAN-OS 7.1.14",
"PAN-OS 7.1.13",
"PAN-OS 7.1.12",
"PAN-OS 7.1.11",
"PAN-OS 7.1.10",
"PAN-OS 7.1.9-h4",
"PAN-OS 7.1.9-h3",
"PAN-OS 7.1.9-h2",
"PAN-OS 7.1.9-h1",
"PAN-OS 7.1.9",
"PAN-OS 7.1.8",
"PAN-OS 7.1.7",
"PAN-OS 7.1.6",
"PAN-OS 7.1.5",
"PAN-OS 7.1.4-h2",
"PAN-OS 7.1.4-h1",
"PAN-OS 7.1.4",
"PAN-OS 7.1.3",
"PAN-OS 7.1.2",
"PAN-OS 7.1.1",
"PAN-OS 7.1.0",
"PAN-OS 7.1"
]
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2021-3058",
"datePublished": "2021-11-10T17:10:21.556749Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T22:52:16.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3060 (GCVE-0-2021-3060)
Vulnerability from cvelistv5
Published
2021-11-10 17:10
Modified
2024-09-16 18:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - OS Command Injection
Summary
An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Version: 8.1 < 8.1.20-h1 Version: 9.0 < 9.0.14-h3 Version: 9.1 < 9.1.11-h2 Version: 10.0 < 10.0.8 Version: 10.1 < 10.1.3 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3060"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "8.1.20-h1",
"status": "unaffected"
}
],
"lessThan": "8.1.20-h1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.0.14-h3",
"status": "unaffected"
}
],
"lessThan": "9.0.14-h3",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "9.1.11-h2",
"status": "unaffected"
}
],
"lessThan": "9.1.11-h2",
"status": "affected",
"version": "9.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.0.8",
"status": "unaffected"
}
],
"lessThan": "10.0.8",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.1.3",
"status": "unaffected"
}
],
"lessThan": "10.1.3",
"status": "affected",
"version": "10.1",
"versionType": "custom"
}
]
},
{
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "affected",
"version": "2.1 Preferred"
},
{
"status": "affected",
"version": "2.1 Innovation"
},
{
"lessThan": "2.2*",
"status": "unaffected",
"version": "all",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "This issue is applicable only to GlobalProtect portal and gateway configurations that are configured with a SCEP profile and when the default master key was not changed.\n\nYou can determine if your configuration has a SCEP profile by selecting \u0027Device \u003e Certificate Management \u003e SCEP\u0027 from the web interface.\n\nNote: The SCEP profile does not need to be enabled for the firewall to be at risk; it need only exist in the configuration to be a risk even if disabled.\n\nYou know you are using the default master key when the master key was not explicitly configured on the firewall. Review the master key configuration by selecting \u0027Device \u003e Master Key and Diagnostics\u0027 from the web interface and change the key if needed."
}
],
"credits": [
{
"lang": "en",
"value": "Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue."
}
],
"datePublic": "2021-11-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue."
}
],
"exploits": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue at time of publication. However, we expect exploits for this issue to become publicly available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-10T17:10:24",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.paloaltonetworks.com/CVE-2021-3060"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions."
},
{
"lang": "en",
"value": "This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions."
}
],
"source": {
"defect": [
"PAN-176661"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"title": "PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP)",
"workarounds": [
{
"lang": "en",
"value": "Changing the master key for the firewall prevents exploitation of this vulnerability. This is a security best practice for both PAN-OS and Prisma Access customers.\n\nDocumentation for configuring the master key is available at: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html. Please note the special requirements for high-availability (HA) and Panorama-managed environments.\n\nAdditional information is available for Prisma Access customers at: https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html.\n\nRemove all configured SCEP profiles from the firewall to completely eliminate any risk of exploitation related to this issue. You can view any existing SCEP profiles configured on the firewall by selecting \u0027Device \u003e Certificate Management \u003e SCEP\u0027 from the web interface.\n\nThis issue requires the attacker to have network access to the GlobalProtect interface.\n\nIn addition to these workarounds, you should enable signatures for Unique Threat ID 91526 on traffic destined for GlobalProtect interfaces to further mitigate the risk of attacks against CVE-2021-3060. SSL decryption is not necessary to detect attacks against this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2021-11-10T17:00:00.000Z",
"ID": "CVE-2021-3060",
"STATE": "PUBLIC",
"TITLE": "PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.20-h1"
},
{
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.14-h3"
},
{
"version_affected": "\u003c",
"version_name": "9.1",
"version_value": "9.1.11-h2"
},
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "\u003c",
"version_name": "10.1",
"version_value": "10.1.3"
},
{
"version_affected": "!\u003e=",
"version_name": "8.1",
"version_value": "8.1.20-h1"
},
{
"version_affected": "!\u003e=",
"version_name": "9.0",
"version_value": "9.0.14-h3"
},
{
"version_affected": "!\u003e=",
"version_name": "9.1",
"version_value": "9.1.11-h2"
},
{
"version_affected": "!\u003e=",
"version_name": "10.0",
"version_value": "10.0.8"
},
{
"version_affected": "!\u003e=",
"version_name": "10.1",
"version_value": "10.1.3"
}
]
}
},
{
"product_name": "Prisma Access",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "Preferred"
},
{
"version_affected": "!\u003e=",
"version_name": "2.2",
"version_value": "all"
},
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "Innovation"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "This issue is applicable only to GlobalProtect portal and gateway configurations that are configured with a SCEP profile and when the default master key was not changed.\n\nYou can determine if your configuration has a SCEP profile by selecting \u0027Device \u003e Certificate Management \u003e SCEP\u0027 from the web interface.\n\nNote: The SCEP profile does not need to be enabled for the firewall to be at risk; it need only exist in the configuration to be a risk even if disabled.\n\nYou know you are using the default master key when the master key was not explicitly configured on the firewall. Review the master key configuration by selecting \u0027Device \u003e Master Key and Diagnostics\u0027 from the web interface and change the key if needed."
}
],
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue at time of publication. However, we expect exploits for this issue to become publicly available."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.paloaltonetworks.com/CVE-2021-3060",
"refsource": "MISC",
"url": "https://security.paloaltonetworks.com/CVE-2021-3060"
},
{
"name": "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html",
"refsource": "MISC",
"url": "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html"
},
{
"name": "https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html",
"refsource": "MISC",
"url": "https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions."
},
{
"lang": "en",
"value": "This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions."
}
],
"source": {
"defect": [
"PAN-176661"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-10T00:00:00",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "en",
"value": "Changing the master key for the firewall prevents exploitation of this vulnerability. This is a security best practice for both PAN-OS and Prisma Access customers.\n\nDocumentation for configuring the master key is available at: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html. Please note the special requirements for high-availability (HA) and Panorama-managed environments.\n\nAdditional information is available for Prisma Access customers at: https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html.\n\nRemove all configured SCEP profiles from the firewall to completely eliminate any risk of exploitation related to this issue. You can view any existing SCEP profiles configured on the firewall by selecting \u0027Device \u003e Certificate Management \u003e SCEP\u0027 from the web interface.\n\nThis issue requires the attacker to have network access to the GlobalProtect interface.\n\nIn addition to these workarounds, you should enable signatures for Unique Threat ID 91526 on traffic destined for GlobalProtect interfaces to further mitigate the risk of attacks against CVE-2021-3060. SSL decryption is not necessary to detect attacks against this issue."
}
],
"x_advisoryEoL": false,
"x_affectedList": [
"Prisma Access 2.1",
"PAN-OS 10.1.2",
"PAN-OS 10.1.1",
"PAN-OS 10.1.0",
"PAN-OS 10.1",
"PAN-OS 10.0.7",
"PAN-OS 10.0.6",
"PAN-OS 10.0.5",
"PAN-OS 10.0.4",
"PAN-OS 10.0.3",
"PAN-OS 10.0.2",
"PAN-OS 10.0.1",
"PAN-OS 10.0.0",
"PAN-OS 10.0",
"PAN-OS 9.1.11-h1",
"PAN-OS 9.1.11",
"PAN-OS 9.1.10",
"PAN-OS 9.1.9",
"PAN-OS 9.1.8",
"PAN-OS 9.1.7",
"PAN-OS 9.1.6",
"PAN-OS 9.1.5",
"PAN-OS 9.1.4",
"PAN-OS 9.1.3-h1",
"PAN-OS 9.1.3",
"PAN-OS 9.1.2-h1",
"PAN-OS 9.1.2",
"PAN-OS 9.1.1",
"PAN-OS 9.1.0-h3",
"PAN-OS 9.1.0-h2",
"PAN-OS 9.1.0-h1",
"PAN-OS 9.1.0",
"PAN-OS 9.1",
"PAN-OS 9.0.14-h2",
"PAN-OS 9.0.14-h1",
"PAN-OS 9.0.14",
"PAN-OS 9.0.13",
"PAN-OS 9.0.12",
"PAN-OS 9.0.11",
"PAN-OS 9.0.10",
"PAN-OS 9.0.9-h1",
"PAN-OS 9.0.9",
"PAN-OS 9.0.8",
"PAN-OS 9.0.7",
"PAN-OS 9.0.6",
"PAN-OS 9.0.5",
"PAN-OS 9.0.4",
"PAN-OS 9.0.3-h3",
"PAN-OS 9.0.3-h2",
"PAN-OS 9.0.3-h1",
"PAN-OS 9.0.3",
"PAN-OS 9.0.2-h4",
"PAN-OS 9.0.2-h3",
"PAN-OS 9.0.2-h2",
"PAN-OS 9.0.2-h1",
"PAN-OS 9.0.2",
"PAN-OS 9.0.1",
"PAN-OS 9.0.0",
"PAN-OS 9.0",
"PAN-OS 8.1.20",
"PAN-OS 8.1.19",
"PAN-OS 8.1.18",
"PAN-OS 8.1.17",
"PAN-OS 8.1.16",
"PAN-OS 8.1.15-h3",
"PAN-OS 8.1.15-h2",
"PAN-OS 8.1.15-h1",
"PAN-OS 8.1.15",
"PAN-OS 8.1.14-h2",
"PAN-OS 8.1.14-h1",
"PAN-OS 8.1.14",
"PAN-OS 8.1.13",
"PAN-OS 8.1.12",
"PAN-OS 8.1.11",
"PAN-OS 8.1.10",
"PAN-OS 8.1.9-h4",
"PAN-OS 8.1.9-h3",
"PAN-OS 8.1.9-h2",
"PAN-OS 8.1.9-h1",
"PAN-OS 8.1.9",
"PAN-OS 8.1.8-h5",
"PAN-OS 8.1.8-h4",
"PAN-OS 8.1.8-h3",
"PAN-OS 8.1.8-h2",
"PAN-OS 8.1.8-h1",
"PAN-OS 8.1.8",
"PAN-OS 8.1.7",
"PAN-OS 8.1.6-h2",
"PAN-OS 8.1.6-h1",
"PAN-OS 8.1.6",
"PAN-OS 8.1.5",
"PAN-OS 8.1.4",
"PAN-OS 8.1.3",
"PAN-OS 8.1.2",
"PAN-OS 8.1.1",
"PAN-OS 8.1.0",
"PAN-OS 8.1"
],
"x_likelyAffectedList": [
"PAN-OS 8.0.20",
"PAN-OS 8.0.19-h1",
"PAN-OS 8.0.19",
"PAN-OS 8.0.18",
"PAN-OS 8.0.17",
"PAN-OS 8.0.16",
"PAN-OS 8.0.15",
"PAN-OS 8.0.14",
"PAN-OS 8.0.13",
"PAN-OS 8.0.12",
"PAN-OS 8.0.11-h1",
"PAN-OS 8.0.10",
"PAN-OS 8.0.9",
"PAN-OS 8.0.8",
"PAN-OS 8.0.7",
"PAN-OS 8.0.6-h3",
"PAN-OS 8.0.6-h2",
"PAN-OS 8.0.6-h1",
"PAN-OS 8.0.6",
"PAN-OS 8.0.5",
"PAN-OS 8.0.4",
"PAN-OS 8.0.3-h4",
"PAN-OS 8.0.3-h3",
"PAN-OS 8.0.3-h2",
"PAN-OS 8.0.3-h1",
"PAN-OS 8.0.3",
"PAN-OS 8.0.2",
"PAN-OS 8.0.1",
"PAN-OS 8.0.0",
"PAN-OS 8.0",
"PAN-OS 7.1.26",
"PAN-OS 7.1.25",
"PAN-OS 7.1.24-h1",
"PAN-OS 7.1.24",
"PAN-OS 7.1.23",
"PAN-OS 7.1.22",
"PAN-OS 7.1.21",
"PAN-OS 7.1.20",
"PAN-OS 7.1.19",
"PAN-OS 7.1.18",
"PAN-OS 7.1.17",
"PAN-OS 7.1.16",
"PAN-OS 7.1.15",
"PAN-OS 7.1.14",
"PAN-OS 7.1.13",
"PAN-OS 7.1.12",
"PAN-OS 7.1.11",
"PAN-OS 7.1.10",
"PAN-OS 7.1.9-h4",
"PAN-OS 7.1.9-h3",
"PAN-OS 7.1.9-h2",
"PAN-OS 7.1.9-h1",
"PAN-OS 7.1.9",
"PAN-OS 7.1.8",
"PAN-OS 7.1.7",
"PAN-OS 7.1.6",
"PAN-OS 7.1.5",
"PAN-OS 7.1.4-h2",
"PAN-OS 7.1.4-h1",
"PAN-OS 7.1.4",
"PAN-OS 7.1.3",
"PAN-OS 7.1.2",
"PAN-OS 7.1.1",
"PAN-OS 7.1.0",
"PAN-OS 7.1"
]
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2021-3060",
"datePublished": "2021-11-10T17:10:24.593774Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T18:56:09.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…