admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-10 02:04:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

PANW CVE assignements on September 9 Patch Wednesday.

Browse Source 
PANW CVE assignements on September 9 Patch Wednesday.
This commit is contained in:
Chandan 2020-09-09 09:42:30 -07:00
parent e8e6aa25f6
commit c0e349f1f0
No known key found for this signature in database
GPG Key ID: 76A1F9BB8C9E02F5
9 changed files with 1260 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

142
2020/2xxx/CVE-2020-2036.json
View File

@ -1,18 +1,146 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-09-09T16:00:00.000Z",
"ID": "CVE-2020-2036",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: Reflected Cross-Site Scripting (XSS) vulnerability in management web interface"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.0.9"
},
{
"version_affected": "!>=",
"version_name": "9.0",
"version_value": "9.0.9"
},
{
"version_affected": "!>=",
"version_name": "9.1",
"version_value": "9.1.0"
},
{
"version_affected": "<",
"version_name": "8.1",
"version_value": "8.1.16"
},
{
"version_affected": "!>=",
"version_name": "8.1",
"version_value": "8.1.16"
},
{
"version_affected": "!>=",
"version_name": "10.0",
"version_value": "10.0.0"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies and Ben Nott of Palo Alto Networks for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions.\nThis issue impacts:\nPAN-OS 8.1 versions earlier than PAN-OS 8.1.6;\nPAN-OS 9.0 versions earlier than PAN-OS 9.0.9."
}
]
}
},
"exploit": [
{
"lang": "eng",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-2036"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.9, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-116720"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "eng",
"time": "2020-09-09T16:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "eng",
"value": "Administrators should use caution when they are authenticated to the firewall management web interface and not click or open links from unsolicited sources. \n\nThis issue impacts the management web interface of PAN-OS. You can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. \nPlease review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices."
}
]
}

147
2020/2xxx/CVE-2020-2037.json
View File

@ -1,18 +1,151 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-09-09T16:00:00.000Z",
"ID": "CVE-2020-2037",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: OS command injection vulnerability in the management web interface"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "8.1",
"version_value": "8.1.16"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.0.10"
},
{
"version_affected": "<",
"version_name": "9.1",
"version_value": "9.1.3"
},
{
"version_affected": "!>=",
"version_name": "8.1",
"version_value": "8.1.16"
},
{
"version_affected": "!>=",
"version_name": "9.0",
"version_value": "9.0.10"
},
{
"version_affected": "!>=",
"version_name": "9.1",
"version_value": "9.1.3"
},
{
"version_affected": "!>=",
"version_name": "10.0",
"version_value": "10.0.0"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks Mikhail Klyuchnikov of Positive Technologies, and Nicholas Newsom of Palo Alto Networks for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges.\nThis issue impacts:\nPAN-OS 8.1 versions earlier than PAN-OS 8.1.16;\nPAN-OS 9.0 versions earlier than PAN-OS 9.0.10;\nPAN-OS 9.1 versions earlier than PAN-OS 9.1.3."
}
]
}
},
"exploit": [
{
"lang": "eng",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-2037"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.3, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-128761"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "eng",
"time": "2020-09-09T16:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "eng",
"value": "This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices."
}
]
}

147
2020/2xxx/CVE-2020-2038.json
View File

@ -1,18 +1,151 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-09-09T16:00:00.000Z",
"ID": "CVE-2020-2038",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: OS command injection vulnerability in the management web interface"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.0.1"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.0.10"
},
{
"version_affected": "<",
"version_name": "9.1",
"version_value": "9.1.4"
},
{
"version_affected": "!>=",
"version_name": "10.0",
"version_value": "10.0.1"
},
{
"version_affected": "!>=",
"version_name": "9.0",
"version_value": "9.0.10"
},
{
"version_affected": "!>=",
"version_name": "9.1",
"version_value": "9.1.4"
},
{
"version_affected": "!",
"version_name": "8.1",
"version_value": "8.1.*"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges.\nThis issue impacts:\nPAN-OS 9.0 versions earlier than 9.0.10;\nPAN-OS 9.1 versions earlier than 9.1.4;\nPAN-OS 10.0 versions earlier than 10.0.1."
}
]
}
},
"exploit": [
{
"lang": "eng",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-2038"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 9.0.10, PAN-OS 9.1.4, PAN-OS 10.0.1, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-101484"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "eng",
"time": "2020-09-09T16:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "eng",
"value": "This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices."
}
]
}

152
2020/2xxx/CVE-2020-2039.json
View File

@ -1,18 +1,156 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-09-09T16:00:00.000Z",
"ID": "CVE-2020-2039",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: Management web interface denial-of-service (DoS) through unauthenticated file upload"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "9.1",
"version_value": "9.1.4"
},
{
"version_affected": "<",
"version_name": "8.1",
"version_value": "8.1.16"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.0.10"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.0.1"
},
{
"version_affected": "!>=",
"version_name": "9.1",
"version_value": "9.1.4"
},
{
"version_affected": "!>=",
"version_name": "8.1",
"version_value": "8.1.16"
},
{
"version_affected": "!>=",
"version_name": "9.0",
"version_value": "9.0.10"
},
{
"version_affected": "!>=",
"version_name": "10.0",
"version_value": "10.0.1"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Palo Alto Networks thanks Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for discovering and reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS allows for a remote unauthenticated user to upload temporary files through the management web interface that are not properly deleted after the request is finished. It is possible for an attacker to disrupt the availability of the management web interface by repeatedly uploading files until available disk space is exhausted.\nThis issue impacts:\nPAN-OS 8.1 versions earlier than PAN-OS 8.1.16;\nPAN-OS 9.0 versions earlier than PAN-OS 9.0.10;\nPAN-OS 9.1 versions earlier than PAN-OS 9.1.4;\nPAN-OS 10.0 versions earlier than PAN-OS 10.0.1.\n"
}
]
}
},
"exploit": [
{
"lang": "eng",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-2039"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.4, PAN-OS 10.0.1, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-148806"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "eng",
"time": "2020-09-09T16:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "eng",
"value": "This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices."
}
]
}

161
2020/2xxx/CVE-2020-2040.json
View File

@ -1,18 +1,165 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-09-09T16:00:00.000Z",
"ID": "CVE-2020-2040",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: Buffer overflow when Captive Portal or Multi-Factor Authentication (MFA) is enabled"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.0.9"
},
{
"version_affected": "<",
"version_name": "9.1",
"version_value": "9.1.3"
},
{
"version_affected": "<",
"version_name": "8.1",
"version_value": "8.1.15"
},
{
"version_affected": "!>=",
"version_name": "9.0",
"version_value": "9.0.9"
},
{
"version_affected": "!>=",
"version_name": "9.1",
"version_value": "9.1.3"
},
{
"version_affected": "!>=",
"version_name": "8.1",
"version_value": "8.1.15"
},
{
"version_affected": "=",
"version_name": "8.0",
"version_value": "8.0.*"
},
{
"version_affected": "!>=",
"version_name": "10.0",
"version_value": "10.0.0"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "eng",
"value": "This issue is applicable only where either Captive Portal or Multi-Factor Authentication (MFA) is enabled."
}
],
"credit": [
{
"lang": "eng",
"value": "This issue was found by Yamata Li of Palo Alto Networks during internal security review."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface.\nThis issue impacts:\nAll versions of PAN-OS 8.0;\nPAN-OS 8.1 versions earlier than PAN-OS 8.1.15;\nPAN-OS 9.0 versions earlier than PAN-OS 9.0.9;\nPAN-OS 9.1 versions earlier than PAN-OS 9.1.3.\n"
}
]
}
},
"exploit": [
{
"lang": "eng",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-120 Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-2040"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions.\n\nAll Prisma Access services are now upgraded to resolve this issue and are no longer vulnerable.\n\nPAN-OS 7.1 and 8.0 are end-of-life and are no longer covered by our Product Security Assurance policies."
}
],
"source": {
"defect": [
"PAN-145149",
"PAN-145150",
"PAN-145151",
"PAN-145195"
],
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "eng",
"time": "2020-09-09T16:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "eng",
"value": "Until PAN-OS software is upgraded to a fixed version, enabling signatures in content update version 8317 will block attacks against CVE-2020-2040."
}
]
}

142
2020/2xxx/CVE-2020-2041.json
View File

@ -1,18 +1,146 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-09-09T16:00:00.000Z",
"ID": "CVE-2020-2041",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: Management web interface denial-of-service (DoS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "8.1",
"version_value": "8.1.16"
},
{
"version_affected": "!>=",
"version_name": "8.1",
"version_value": "8.1.16"
},
{
"version_affected": "!",
"version_name": "9.0",
"version_value": "9.0.*"
},
{
"version_affected": "!",
"version_name": "9.1",
"version_value": "9.1.*"
},
{
"version_affected": "!",
"version_name": "10.0",
"version_value": "10.0.*"
},
{
"version_affected": "=",
"version_name": "8.0",
"version_value": "8.0.*"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An insecure configuration of the appweb daemon of Palo Alto Networks PAN-OS 8.1 allows a remote unauthenticated user to send a specifically crafted request to the device that causes the appweb service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode.\n\nThis issue impacts all versions of PAN-OS 8.0, and PAN-OS 8.1 versions earlier than 8.1.16."
}
]
}
},
"exploit": [
{
"lang": "eng",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-16 Configuration"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-2041"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 8.1.16 and all later PAN-OS versions.\n\nPAN-OS 7.1 and PAN-OS 8.0 are end-of-life and are no longer covered by our Product Security Assurance policies."
}
],
"source": {
"defect": [
"PAN-151978"
],
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "eng",
"time": "2020-09-09T16:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "eng",
"value": "This issue impacts the management web interface of PAN-OS. You can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices."
}
]
}

138
2020/2xxx/CVE-2020-2042.json
View File

@ -1,18 +1,142 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-09-09T16:00:00.000Z",
"ID": "CVE-2020-2042",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: Buffer overflow in the management web interface"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.0.1"
},
{
"version_affected": "!>=",
"version_name": "10.0",
"version_value": "10.0.1"
},
{
"version_affected": "!",
"version_name": "9.1",
"version_value": "9.1.*"
},
{
"version_affected": "!",
"version_name": "9.0",
"version_value": "9.0.*"
},
{
"version_affected": "!",
"version_name": "8.1",
"version_value": "8.1.*"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A buffer overflow vulnerability in the PAN-OS management web interface allows authenticated administrators to disrupt system processes and potentially execute arbitrary code with root privileges.\nThis issue impacts only PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.\n"
}
]
}
},
"exploit": [
{
"lang": "eng",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.\n"
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-2042"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 10.0.1 and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-145797",
"PAN-150409"
],
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "eng",
"time": "2020-09-09T16:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "eng",
"value": "This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices."
}
]
}

147
2020/2xxx/CVE-2020-2043.json
View File

@ -1,18 +1,151 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-09-09T16:00:00.000Z",
"ID": "CVE-2020-2043",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: Passwords may be logged in clear text when using after-change-detail custom syslog field for config logs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "8.1",
"version_value": "8.1.16"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.0.10"
},
{
"version_affected": "<",
"version_name": "9.1",
"version_value": "9.1.4"
},
{
"version_affected": "!>=",
"version_name": "10.0",
"version_value": "10.0.0"
},
{
"version_affected": "!>=",
"version_name": "8.1",
"version_value": "8.1.16"
},
{
"version_affected": "!>=",
"version_name": "9.0",
"version_value": "9.0.10"
},
{
"version_affected": "!>=",
"version_name": "9.1",
"version_value": "9.1.4"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "eng",
"value": "This issue is only applicable when when the after-change-detail custom syslog field is enabled for config logs."
}
],
"credit": [
{
"lang": "eng",
"value": "This issue was found by a customer of Palo Alto Networks during internal security review."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An information exposure through log file vulnerability where sensitive fields are recorded in the configuration log without masking on Palo Alto Networks PAN-OS software when the after-change-detail custom syslog field is enabled for configuration logs and the sensitive field appears multiple times in one log entry. The first instance of the sensitive field is masked but subsequent instances are left in clear text.\nThis issue impacts:\nPAN-OS 8.1 versions earlier than PAN-OS 8.1.16;\nPAN-OS 9.0 versions earlier than PAN-OS 9.0.10;\nPAN-OS 9.1 versions earlier than PAN-OS 9.1.4."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-532 Information Exposure Through Log Files"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-2043"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.4, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-146837"
],
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "eng",
"time": "2020-09-09T16:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "eng",
"value": "This issue requires access to PAN-OS log files generated in the system. You can mitigate the impact of this issue by following best practices for securing the PAN-OS management interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices."
}
]
}

147
2020/2xxx/CVE-2020-2044.json
View File

@ -1,18 +1,151 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-09-09T16:00:00.000Z",
"ID": "CVE-2020-2044",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: Passwords may be logged in clear text while storing operational command (op command) history"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "8.1",
"version_value": "8.1.16"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.0.10"
},
{
"version_affected": "<",
"version_name": "9.1",
"version_value": "9.1.3"
},
{
"version_affected": "!>=",
"version_name": "8.1",
"version_value": "8.1.16"
},
{
"version_affected": "!>=",
"version_name": "9.0",
"version_value": "9.0.10"
},
{
"version_affected": "!>=",
"version_name": "9.1",
"version_value": "9.1.3"
},
{
"version_affected": "=",
"version_name": "8.0",
"version_value": "8.0.*"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was found by Yamata Li of Palo Alto Networks during internal security review."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An information exposure through log file vulnerability where an administrator's password or other sensitive information may be logged in cleartext while using the CLI in Palo Alto Networks PAN-OS software. The opcmdhistory.log file was introduced to track operational command (op-command) usage but did not mask all sensitive information.\n\nThe opcmdhistory.log file is removed in PAN-OS 9.1 and later PAN-OS versions. Command usage is recorded, instead, in the req_stats.log file in PAN-OS 9.1 and later PAN-OS versions.\n\nThis issue impacts:\nPAN-OS 8.1 versions earlier than PAN-OS 8.1.16;\nPAN-OS 9.0 versions earlier than PAN-OS 9.0.10;\nPAN-OS 9.1 versions earlier than PAN-OS 9.1.3."
}
]
}
},
"exploit": [
{
"lang": "eng",
"value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-532 Information Exposure Through Log Files"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-2044"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.3, and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-135262"
],
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "eng",
"time": "2020-09-09T16:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "eng",
"value": "This issue requires access to PAN-OS log files generated in the system. You can mitigate the impact of this issue by following best practices for securing the PAN-OS management interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices."
}
]
}