Total
176 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-1998 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.5 MEDIUM | 5.4 MEDIUM |
| An improper authorization vulnerability in PAN-OS that mistakenly uses the permissions of local linux users instead of the intended SAML permissions of the account when the username is shared for the purposes of SSO authentication. This can result in authentication bypass and unintended resource access for the user. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; PAN-OS 9.1 versions earlier than 9.1.1; All versions of PAN-OS 8.0. | |||||
| CVE-2020-1997 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 5.8 MEDIUM | 5.3 MEDIUM |
| An open redirection vulnerability in the GlobalProtect component of Palo Alto Networks PAN-OS allows an attacker to specify an arbitrary redirection target away from the trusted GlobalProtect gateway. If the user then successfully authenticates it will cause them to access an unexpected and potentially malicious website. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.0 versions earlier than 8.0.14. | |||||
| CVE-2020-1996 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A missing authorization vulnerability in the management server component of PAN-OS Panorama allows a remote unauthenticated user to inject messages into the management server ms.log file. This vulnerability can be leveraged to obfuscate an ongoing attack or fabricate log entries in the ms.log file This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.9. | |||||
| CVE-2020-1995 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.8 MEDIUM | 4.9 MEDIUM |
| A NULL pointer dereference vulnerability in Palo Alto Networks PAN-OS allows an authenticated administrator to send a request that causes the rasmgr daemon to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue affects: PAN-OS 9.1 versions earlier than 9.1.2. | |||||
| CVE-2020-1994 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 4.9 MEDIUM | 4.1 MEDIUM |
| A predictable temporary file vulnerability in PAN-OS allows a local authenticated user with shell access to corrupt arbitrary system files affecting the integrity of the system. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7. | |||||
| CVE-2020-1993 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 5.5 MEDIUM | 3.7 LOW |
| The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8. | |||||
| CVE-2020-1992 | 1 Paloaltonetworks | 3 Pa-7050, Pa-7080, Pan-os | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| A format string vulnerability in the Varrcvr daemon of PAN-OS on PA-7000 Series devices with a Log Forwarding Card (LFC) allows remote attackers to crash the daemon creating a denial of service condition or potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 9.0 versions before 9.0.7; PAN-OS 9.1 versions before 9.1.2 on PA-7000 Series devices with an LFC installed and configured. This issue requires WildFire services to be configured and enabled. This issue does not affect PAN-OS 8.1 and earlier releases. This issue does not affect any other PA Series firewalls. | |||||
| CVE-2020-1990 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| A stack-based buffer overflow vulnerability in the management server component of PAN-OS allows an authenticated user to upload a corrupted PAN-OS configuration and potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 8.1 versions before 8.1.13; 9.0 versions before 9.0.7. This issue does not affect PAN-OS 7.1. | |||||
| CVE-2020-1982 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 5.8 MEDIUM | 4.8 MEDIUM |
| Certain communication between PAN-OS and cloud-delivered services inadvertently use TLS 1.0, which is known to be a cryptographically weak protocol. These cloud services include Cortex Data Lake, the Customer Support Portal, and the Prisma Access infrastructure. Conditions required for exploitation of known TLS 1.0 weaknesses do not exist for the communication between PAN-OS and cloud-delivered services. We do not believe that any communication is impacted as a result of known attacks against TLS 1.0. This issue impacts: All versions of PAN-OS 8.0; PAN-OS 8.1 versions earlier than PAN-OS 8.1.14; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 9.1 versions earlier than PAN-OS 9.1.3. PAN-OS 7.1 is not impacted by this issue. | |||||
| CVE-2020-1981 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 7.2 HIGH | 7.0 HIGH |
| A predictable temporary filename vulnerability in PAN-OS allows local privilege escalation. This issue allows a local attacker who bypassed the restricted shell to execute commands as a low privileged user and gain root access on the PAN-OS hardware or virtual appliance. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions. | |||||
| CVE-2020-1980 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A shell command injection vulnerability in the PAN-OS CLI allows a local authenticated user to escape the restricted shell and escalate privileges. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions. This issue is fixed in PAN-OS 8.1.13, and all later versions. | |||||
| CVE-2020-1979 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 4.6 MEDIUM | 8.1 HIGH |
| A format string vulnerability in the PAN-OS log daemon (logd) on Panorama allows a network based attacker with knowledge of registered firewall devices and access to Panorama management interfaces to execute arbitrary code, bypassing the restricted shell and escalating privileges. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13 on Panorama. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions. | |||||
| CVE-2020-1978 | 1 Paloaltonetworks | 2 Pan-os, Vm-series | 2024-11-21 | 1.9 LOW | 5.8 MEDIUM |
| TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials. | |||||
| CVE-2020-1975 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.5 MEDIUM | 6.8 MEDIUM |
| Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation. This issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.12 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.6. This issue does not affect PAN-OS 7.1, PAN-OS 8.0, or PAN-OS 9.1 or later versions. | |||||
| CVE-2019-1582 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Memory corruption in PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and earlier will allow an administrative user to cause arbitrary memory corruption by rekeying the current client interactive session. | |||||
| CVE-2019-1581 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability in the PAN-OS SSH device management interface that can lead to unauthenticated remote users with network access to the SSH management interface gaining root access to PAN-OS. This issue affects PAN-OS 7.1 versions prior to 7.1.24-h1, 7.1.25; 8.0 versions prior to 8.0.19-h1, 8.0.20; 8.1 versions prior to 8.1.9-h4, 8.1.10; 9.0 versions prior to 9.0.3-h3, 9.0.4. | |||||
| CVE-2019-1580 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Memory corruption in PAN-OS 7.1.24 and earlier, PAN-OS 8.0.19 and earlier, PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and earlier will allow a remote, unauthenticated user to craft a message to Secure Shell Daemon (SSHD) and corrupt arbitrary memory. | |||||
| CVE-2019-1579 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code. | |||||
| CVE-2019-1576 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user’s permissions. | |||||
| CVE-2019-1575 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API (in PAN-OS) and possibly escalate privileges granted to them. | |||||