CVE-2017-7945Information Exposure via Error Message in Paloaltonetworks Pan-os

CWE-209Information Exposure via Error Message4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.4%
top 36.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Paloaltonetworks Pan-osPaloalto Pan-os
Timeline
PublishedApr 29
Latest updateMay 13

Description

The GlobalProtect external interface in Palo Alto Networks PAN-OS before 6.1.17, 7.x before 7.0.15, 7.1.x before 7.1.9, and 8.x before 8.0.2 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests, aka PAN-SA-2017-0014 and PAN-72769.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

Palo Altopaloalto/pan-os

🔴Vulnerability Details

2
GHSA
GHSA-jx68-2fp3-jrpx: The GlobalProtect external interface in Palo Alto Networks PAN-OS before 62022-05-13
CVEList
CVE-2017-7945: The GlobalProtect external interface in Palo Alto Networks PAN-OS before 62017-04-29

📋Vendor Advisories

1
Palo Alto
Brute force attack on the PAN-OS GlobalProtect external interface2017-04-28
CVE-2017-7945 — Information Exposure via Error Message | cvebase