CVE-2020-1993Session Fixation in Palo Alto Networks Pan-os

CWE-384Session Fixation4 documents4 sources
Severity
5.4MEDIUMNVD
CNA3.7
EPSS
0.2%
top 56.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Palo Alto Networks Pan-osPaloaltonetworks Pan-osPaloalto Pan-os
Timeline
PublishedMay 13
Latest updateMay 24

Description

The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

CVEListV5palo_alto_networks/pan-os8.18.1.14+3
NVDpaloaltonetworks/pan-os7.1.07.1.26+3
Palo Altopaloalto/pan-os

🔴Vulnerability Details

2
GHSA
GHSA-w8pj-jc9c-cq4v: The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks,2022-05-24
CVEList
PAN-OS: GlobalProtect Portal PHP session fixation vulnerability2020-05-13

📋Vendor Advisories

1
Palo Alto
PAN-OS: GlobalProtect Portal PHP session fixation vulnerability2020-05-13
CVE-2020-1993 — Session Fixation in Palo | cvebase