admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-07 21:47:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

CVEs assigned in Palo Alto Networks Security Advisories for July 2020 Patch Wednesday.

Browse Source 
CVEs assigned in Palo Alto Networks Security Advisories for July 2020 Patch Wednesday.
This commit is contained in:
Chandan 2020-07-08 09:29:08 -07:00
parent 1474a39671
commit f0c0098ff6
No known key found for this signature in database
GPG Key ID: 76A1F9BB8C9E02F5
4 changed files with 542 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
2020/1xxx/CVE-2020-1982.json
View File

@ -1,18 +1,157 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-07-08T16:00:00.000Z",
"ID": "CVE-2020-1982",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: TLS 1.0 usage for certain communications with Palo Alto Networks cloud delivered services"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "9.1",
"version_value": "9.1.3"
},
{
"version_affected": "!>=",
"version_name": "9.1",
"version_value": "9.1.3"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.0.9"
},
{
"version_affected": "!>=",
"version_name": "9.0",
"version_value": "9.0.9"
},
{
"version_affected": "<",
"version_name": "8.1",
"version_value": "8.1.15"
},
{
"version_affected": "!>=",
"version_name": "8.1",
"version_value": "8.1.15"
},
{
"version_affected": "=",
"version_name": "8.0",
"version_value": "8.0.*"
},
{
"version_affected": "!",
"version_name": "7.1",
"version_value": "7.1.*"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was found by a customer."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Certain communication between PAN-OS and cloud-delivered services inadvertently use TLS 1.0, which is known to be a cryptographically weak protocol.\n\nThese cloud services include Cortex Data Lake, the Customer Support Portal, and the Prisma Access infrastructure.\n\nConditions required for exploitation of known TLS 1.0 weaknesses do not exist for the communication between PAN-OS and cloud-delivered services. We do not believe that any communication is impacted as a result of known attacks against TLS 1.0.\n\nThis issue impacts:\nAll versions of PAN-OS 8.0;\nPAN-OS 8.1 versions earlier than PAN-OS 8.1.14;\nPAN-OS 9.0 versions earlier than PAN-OS 9.0.9;\nPAN-OS 9.1 versions earlier than PAN-OS 9.1.3.\n\nPAN-OS 7.1 is not impacted by this issue."
}
]
}
},
"exploit": [
{
"lang": "eng",
"value": "Conditions required for exploitation of known TLS 1.0 weaknesses do not exist for the communication between PAN-OS and cloud delivered services. Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-326 Inadequate Encryption Strength"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-1982"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions.\n\nA fixed version of PAN-OS is required to ensure secure usage of cloud-delivered services without interruption.\n\nPAN-OS 7.1 and PAN-OS 8.0 are end-of-life (as of June 30, 2020 and October 31, 2019 respectively) and are no longer covered by our Product Security Assurance policies."
}
],
"source": {
"defect": [
"PAN-141122",
"PAN-141579"
],
"discovery": "USER"
},
"timeline": [
{
"lang": "eng",
"time": "2020-07-08T16:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "eng",
"value": "Since TLS 1.0 weaknesses are exploited by the man-in-the-middle type of attackers, ensuring security of the networks reduces risks of exploitation of these issues."
}
]
}

141
2020/2xxx/CVE-2020-2030.json
View File

@ -1,18 +1,145 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-07-08T16:00:00.000Z",
"ID": "CVE-2020-2030",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: OS command injection vulnerability in the management interface"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "8.1",
"version_value": "8.1.15"
},
{
"version_affected": "!>=",
"version_name": "9.0",
"version_value": "9.0.0"
},
{
"version_affected": "!>=",
"version_name": "8.1",
"version_value": "8.1.15"
},
{
"version_affected": "=",
"version_name": "8.0",
"version_value": "8.0.*"
},
{
"version_affected": "=",
"version_name": "7.1",
"version_value": "7.1.*"
},
{
"version_affected": "!>=",
"version_name": "9.1",
"version_value": "9.1.0"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was found by Jin Chen of Palo Alto Networks during internal security review."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges.\nThis issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; and all versions of PAN-OS 7.1 and PAN-OS 8.0.\n\nThis issue does not impact PAN-OS 9.0, PAN-OS 9.1, or Prisma Access services."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-2030"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 8.1.15 and all later PAN-OS versions."
},
{
"lang": "eng",
"value": "PAN-OS 7.1 and PAN-OS 8.0 are end-of-life (as of June 30, 2020 and October 31, 2019 respectively) and are no longer covered by our Product Security Assurance policies."
}
],
"source": {
"defect": [
"PAN-100226",
"PAN-102677"
],
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "eng",
"time": "2020-07-08T16:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "eng",
"value": "This issue impacts the PAN-OS management interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices."
}
]
}

126
2020/2xxx/CVE-2020-2031.json
View File

@ -1,18 +1,130 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-07-08T16:00:00.000Z",
"ID": "CVE-2020-2031",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: Integer underflow in the management interface"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "9.1",
"version_value": "9.1.3"
},
{
"version_affected": "!>=",
"version_name": "9.1",
"version_value": "9.1.3"
},
{
"version_affected": "!",
"version_name": "9.0",
"version_value": "9.0.*"
},
{
"version_affected": "!",
"version_name": "8.1",
"version_value": "8.1.*"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Jin Chen of Palo Alto Networks during internal security review."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An integer underflow vulnerability in the dnsproxyd component of the PAN-OS management interface allows authenticated administrators to issue a command from the command line interface that causes the component to stop responding. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode.\nThis issue impacts:\nPAN-OS 9.1 versions earlier than PAN-OS 9.1.3.\n\nThis issue does not impact PAN-OS 8.1, PAN-OS 9.0, or Prisma Access services."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-191 Integer Underflow (Wrap or Wraparound)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-2031"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 9.1.3 and all later PAN-OS versions."
}
],
"source": {
"defect": [
"PAN-100000"
],
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "eng",
"time": "2020-07-08T16:00:00.000Z",
"value": "Initial publication"
}
],
"work_around": [
{
"lang": "eng",
"value": "This issue impacts the PAN-OS management interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices."
}
]
}

150
2020/2xxx/CVE-2020-2034.json
View File

@ -1,18 +1,154 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-07-08T16:00:00.000Z",
"ID": "CVE-2020-2034",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "PAN-OS: OS command injection vulnerability in GlobalProtect portal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "9.1",
"version_value": "9.1.3"
},
{
"version_affected": "!>=",
"version_name": "9.1",
"version_value": "9.1.3"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.0.9"
},
{
"version_affected": "!>=",
"version_name": "9.0",
"version_value": "9.0.9"
},
{
"version_affected": "<",
"version_name": "8.1",
"version_value": "8.1.15"
},
{
"version_affected": "!>=",
"version_name": "8.1",
"version_value": "8.1.15"
},
{
"version_affected": "=",
"version_name": "8.0",
"version_value": "8.0.*"
},
{
"version_affected": "=",
"version_name": "7.1",
"version_value": "7.1.*"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "eng",
"value": "This issue is applicable only where GlobalProtect portal is enabled."
}
],
"credit": [
{
"lang": "eng",
"value": "This issue was found by Yamata Li of Palo Alto Networks during internal security review."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect portal feature is not enabled.\nThis issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1.\n\nPrisma Access services are not impacted by this vulnerability.\n"
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2020-2034"
}
]
},
"solution": [
{
"lang": "eng",
"value": "This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions."
},
{
"lang": "eng",
"value": "PAN-OS 7.1 and PAN-OS 8.0 are end-of-life (as of June 30, 2020 and October 31, 2019 respectively) and are no longer covered by our Product Security Assurance policies."
}
],
"source": {
"defect": [
"PAN-145587"
],
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "eng",
"time": "2020-07-08T16:00:00.000Z",
"value": "Initial publication"
}
]
}