CVE-2020-1996 — Missing Authorization in Palo Alto Networks Pan-os

CWE-862 — Missing Authorization6 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.7%

top 27.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Palo Alto Networks Pan-os Paloaltonetworks Pan-os Paloalto Pan-os

Timeline

PublishedMay 13

Latest updateMay 24

Description

A missing authorization vulnerability in the management server component of PAN-OS Panorama allows a remote unauthenticated user to inject messages into the management server ms.log file. This vulnerability can be leveraged to obfuscate an ongoing attack or fabricate log entries in the ms.log file This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5palo_alto_networks/pan-os8.1 — 8.1.14+3

▶NVDpaloaltonetworks/pan-os7.1.0 — 7.1.26+3

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

GHSA

GHSA-grq6-472c-73fx: A missing authorization vulnerability in the management server component of PAN-OS Panorama allows a remote unauthenticated user to inject messages in↗2022-05-24

▶

CVEList

PAN-OS: Panorama management server log injection↗2020-05-13

▶

Kernel

vgacon: Fix a UAF in vgacon_invert_region↗2020-03-04

▶

Kernel

vt: selection, close sel_buffer race↗2020-02-10

▶

📋Vendor Advisories

Palo Alto

PAN-OS: Panorama management server log injection↗2020-05-13

▶