CVE-2020-2001
published 2020-05-13CVE-2020-2001: An external control of path and data vulnerability in the Palo Alto Networks PAN-OS Panorama XSLT processing logic that allows an unauthenticated user with…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.33%
67.6th percentile
An external control of path and data vulnerability in the Palo Alto Networks PAN-OS Panorama XSLT processing logic that allows an unauthenticated user with network access to PAN-OS management interface to write attacker supplied file on the system and elevate privileges. This issue affects: All PAN-OS 7.1 Panorama and 8.0 Panorama versions; PAN-OS 8.1 versions earlier than 8.1.12 on Panorama; PAN-OS 9.0 versions earlier than 9.0.6 on Panorama.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | oauth2-proxy_oauth2-proxy | >= 0 < 5.1.1 | 5.1.1 |
| juniper | junos_os | — | — |
| palo_alto_networks | pan-os | — | — |
| palo_alto_networks | pan-os | — | — |
| palo_alto_networks | pan-os | >= 8.1 < 8.1.12 | 8.1.12 |
| palo_alto_networks | pan-os | >= 9.0 < 9.0.6 | 9.0.6 |
| paloalto | pan-os | — | — |
| paloaltonetworks | pan-os | 7.1.0 – 7.1.26 | — |
| paloaltonetworks | pan-os | 8.0.0 – 8.0.20 | — |
| paloaltonetworks | pan-os | >= 8.1.0 < 8.1.12 | 8.1.12 |
| paloaltonetworks | pan-os | >= 9.0.0 < 9.0.6 | 9.0.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability exists in the XSLT processing logic of PAN-OS Panorama management interface; monitor for unauthenticated requests to the PAN-OS management web interface that trigger XSLT processing, particularly those attempting to write files to the filesystem. ↗
- →Attack surface is the PAN-OS management web interface; restrict and monitor access to this interface for anomalous unauthenticated activity. ↗
- ·PAN-OS 7.1 (all Panorama versions) and PAN-OS 8.0 (all Panorama versions) are fully affected with no patched release available; 7.1 is on extended support and only considered for critical fixes, 8.0 is end-of-life. ↗
- ·Fixed versions are PAN-OS 8.1.12 and PAN-OS 9.0.6; detection/triage should prioritize Panorama instances running versions below these thresholds. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-OS: Panorama External control of file vulnerability leads to privilege escalation
vendor_paloalto·2020-05-13·CVSS 9.8
CVE-2020-2001 [CRITICAL] CWE-123 PAN-OS: Panorama External control of file vulnerability leads to privilege escalation
PAN-OS: Panorama External control of file vulnerability leads to privilege escalation
An external control of path and data vulnerability in the Palo Alto Networks PAN-OS Panorama XSLT processing logic that allows an unauthenticated user with network access to PAN-OS management interface to write attacker supplied file on the system and elevate privileges.
Affected products: PAN-OS
Solution: This issue is fixed in PAN-OS 8.1.12, PAN-OS 9.0.6, and all later PAN-OS versions.
PAN-OS 7.1 is on extended support until June 30, 2020, and is only being considered for critical security vulnerability fixes.
PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.
Workaround: This issue impacts the management web interface. You ca
GHSA
GHSA-q4v5-5cqg-jf5j: An external control of path and data vulnerability in the Palo Alto Networks PAN-OS Panorama XSLT processing logic that allows an unauthenticated user
ghsa_unreviewed·2022-05-24
CVE-2020-2001 [HIGH] GHSA-q4v5-5cqg-jf5j: An external control of path and data vulnerability in the Palo Alto Networks PAN-OS Panorama XSLT processing logic that allows an unauthenticated user
An external control of path and data vulnerability in the Palo Alto Networks PAN-OS Panorama XSLT processing logic that allows an unauthenticated user with network access to PAN-OS management interface to write attacker supplied file on the system and elevate privileges. This issue affects: All PAN-OS 7.1 Panorama versions; PAN-OS 8.0 versions earlier than 8.0.21 on Panorama; PAN-OS 8.1 versions earlier than 8.1.12 on Panorama; PAN-OS 9.0 versions earlier than 9.0.6 on Panorama.
GHSA
Open Redirect in OAuth2 Proxy
ghsa·2021-12-20
CVE-2020-11053 [HIGH] CWE-601 Open Redirect in OAuth2 Proxy
Open Redirect in OAuth2 Proxy
### Impact
As users can provide a redirect address for the proxy to send the authenticated user to at the end of the authentication flow. This is expected to be the original URL that the user was trying to access.
This redirect URL is checked within the proxy and validated before redirecting the user to prevent malicious actors providing redirects to potentially harmful sites.
However, by crafting a redirect URL with HTML encoded whitespace characters (eg. `%0a`, `%0b`,`%09`,`%0d`) the validation could be bypassed and allow a redirect to any URL provided.
### Patches
@rootxharsh and @iamnoooob provided this patch as potential solution:
```
From 4b941f56eda310b5c4dc8080b7635a6bfabccad4 Mon Sep 17 00:00:00 2001
From: Harsh Jaiswal
Date: Fri, 1 May 2020 20:38:
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-05-13
Published