Total
197 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-2003 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-15 | 8.5 HIGH | 6.5 MEDIUM |
| An external control of filename vulnerability in the command processing of PAN-OS allows an authenticated administrator to delete arbitrary system files affecting the integrity of the system or causing denial of service to all PAN-OS services. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions before 8.1.14; PAN-OS 9.0 versions before 9.0.7; PAN-OS 9.1 versions before 9.1.1. | |||||
| CVE-2020-1993 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-15 | 5.5 MEDIUM | 5.4 MEDIUM |
| The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8. | |||||
| CVE-2020-1995 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-15 | 6.8 MEDIUM | 4.9 MEDIUM |
| A NULL pointer dereference vulnerability in Palo Alto Networks PAN-OS allows an authenticated administrator to send a request that causes the rasmgr daemon to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue affects: PAN-OS 9.1 versions earlier than 9.1.2. | |||||
| CVE-2020-2012 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-14 | 5.0 MEDIUM | 7.5 HIGH |
| Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system. This issue affects: All versions of PAN-OS for Panorama 7.1 and 8.0; PAN-OS for Panorama 8.1 versions earlier than 8.1.13; PAN-OS for Panorama 9.0 versions earlier than 9.0.7. | |||||
| CVE-2020-2017 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces. A remote attacker able to convince an authenticated administrator to click on a crafted link to PAN-OS and Panorama Web Interfaces could execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; All versions of PAN-OS 8.0. | |||||
| CVE-2020-2014 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-14 | 9.0 HIGH | 8.8 HIGH |
| An OS Command Injection vulnerability in PAN-OS management server allows authenticated users to inject and execute arbitrary shell commands with root privileges. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.7. | |||||
| CVE-2020-2010 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-14 | 9.0 HIGH | 7.2 HIGH |
| An OS command injection vulnerability in PAN-OS management interface allows an authenticated administrator to execute arbitrary OS commands with root privileges. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.7. | |||||
| CVE-2020-2008 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-14 | 9.0 HIGH | 7.2 HIGH |
| An OS command injection and external control of filename vulnerability in Palo Alto Networks PAN-OS allows authenticated administrators to execute code with root privileges or delete arbitrary system files and impact the system's integrity or cause a denial of service condition. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14. | |||||
| CVE-2020-2006 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-14 | 9.0 HIGH | 8.8 HIGH |
| A stack-based buffer overflow vulnerability in the management server component of PAN-OS that allows an authenticated user to potentially execute arbitrary code with root privileges. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14. | |||||
| CVE-2020-1979 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-13 | 4.6 MEDIUM | 7.8 HIGH |
| A format string vulnerability in the PAN-OS log daemon (logd) on Panorama allows a network based attacker with knowledge of registered firewall devices and access to Panorama management interfaces to execute arbitrary code, bypassing the restricted shell and escalating privileges. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13 on Panorama. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions. | |||||
| CVE-2020-1978 | 1 Paloaltonetworks | 2 Pan-os, Vm-series | 2020-04-10 | 1.9 LOW | 4.4 MEDIUM |
| TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials. | |||||
| CVE-2020-1992 | 1 Paloaltonetworks | 3 Pa-7050, Pa-7080, Pan-os | 2020-04-10 | 9.3 HIGH | 9.8 CRITICAL |
| A format string vulnerability in the Varrcvr daemon of PAN-OS on PA-7000 Series devices with a Log Forwarding Card (LFC) allows remote attackers to crash the daemon creating a denial of service condition or potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 9.0 versions before 9.0.7; PAN-OS 9.1 versions before 9.1.2 on PA-7000 Series devices with an LFC installed and configured. This issue requires WildFire services to be configured and enabled. This issue does not affect PAN-OS 8.1 and earlier releases. This issue does not affect any other PA Series firewalls. | |||||
| CVE-2020-1990 | 1 Paloaltonetworks | 1 Pan-os | 2020-04-09 | 9.0 HIGH | 7.2 HIGH |
| A stack-based buffer overflow vulnerability in the management server component of PAN-OS allows an authenticated user to upload a corrupted PAN-OS configuration and potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 8.1 versions before 8.1.13; 9.0 versions before 9.0.7. This issue does not affect PAN-OS 7.1. | |||||
| CVE-2020-1981 | 1 Paloaltonetworks | 1 Pan-os | 2020-03-13 | 7.2 HIGH | 7.8 HIGH |
| A predictable temporary filename vulnerability in PAN-OS allows local privilege escalation. This issue allows a local attacker who bypassed the restricted shell to execute commands as a low privileged user and gain root access on the PAN-OS hardware or virtual appliance. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions. | |||||
| CVE-2020-1980 | 1 Paloaltonetworks | 1 Pan-os | 2020-03-13 | 7.2 HIGH | 7.8 HIGH |
| A shell command injection vulnerability in the PAN-OS CLI allows a local authenticated user to escape the restricted shell and escalate privileges. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions. This issue is fixed in PAN-OS 8.1.13, and all later versions. | |||||
| CVE-2020-1975 | 1 Paloaltonetworks | 1 Pan-os | 2020-02-18 | 6.5 MEDIUM | 8.8 HIGH |
| Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation. This issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.12 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.6. This issue does not affect PAN-OS 7.1, PAN-OS 8.0, or PAN-OS 9.1 or later versions. | |||||
| CVE-2016-1712 | 1 Paloaltonetworks | 1 Pan-os | 2020-02-17 | 7.2 HIGH | 7.8 HIGH |
| Palo Alto Networks PAN-OS before 5.0.19, 5.1.x before 5.1.12, 6.0.x before 6.0.14, 6.1.x before 6.1.12, and 7.0.x before 7.0.8 might allow local users to gain privileges by leveraging improper sanitization of the root_reboot local invocation. | |||||
| CVE-2014-3764 | 1 Paloaltonetworks | 1 Pan-os | 2020-02-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the web-based device management interface in Palo Alto Networks PAN-OS before 5.0.15, 5.1.x before 5.1.10, and 6.0.x before 6.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Ref ID 64563. | |||||
| CVE-2019-17440 | 1 Paloaltonetworks | 3 Pa-7050, Pa-7080, Pan-os | 2020-02-17 | 10.0 HIGH | 9.8 CRITICAL |
| Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Management Card (SMC) may allow an attacker with network access to the LFC to gain root access to PAN-OS. This issue affects PAN-OS 9.0 versions prior to 9.0.5-h3 on PA-7080 and PA-7050 devices with an LFC installed and configured. This issue does not affect PA-7000 Series deployments using the first-generation SMC and the Log Processing Card (LPC). This issue does not affect any other PA series devices. This issue does not affect devices without an LFC. This issue does not affect PAN-OS 8.1 or prior releases. This issue only affected a very limited number of customers and we undertook individual outreach to help them upgrade. At the time of publication, all identified customers have upgraded SW or content and are not impacted. | |||||
| CVE-2017-17841 | 1 Paloaltonetworks | 1 Pan-os | 2020-02-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| Palo Alto Networks PAN-OS 6.1, 7.1, and 8.0.x before 8.0.7, when an interface implements SSL decryption with RSA enabled or hosts a GlobalProtect portal or gateway, might allow remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a ROBOT attack. | |||||