CVE-2012-6606 — Paloaltonetworks Globalprotect vulnerability

CWE-3104 documents4 sources

Severity

5.8MEDIUMNVD

EPSS

0.2%

top 54.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Paloaltonetworks Globalprotect Paloalto Globalprotect APP Paloalto Netconnect

Timeline

PublishedAug 31

Latest updateMay 13

Description

Palo Alto Networks GlobalProtect before 1.1.7, and NetConnect, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof portal servers and obtain sensitive information via a crafted certificate.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages3 packages

▶NVDpaloaltonetworks/globalprotect1.1.6

▶Palo Altopaloalto/netconnect

▶Palo Altopaloalto/globalprotect_app

🔴Vulnerability Details

GHSA

GHSA-j4r7-wx6h-r3mw: Palo Alto Networks GlobalProtect before 1↗2022-05-13

▶

CVEList

CVE-2012-6606: Palo Alto Networks GlobalProtect before 1↗2013-08-31

▶

📋Vendor Advisories

Palo Alto

Man-in-the-middle Vulnerability in GlobalProtect App↗2012-10-22

▶