CVE-2020-2013Cleartext Transmission of Sensitive Info in Palo Alto Networks Pan-os

CWE-319Cleartext Transmission of Sensitive InfoCWE-20Improper Input Validation17 documents10 sources
Severity
8.8HIGHNVD
CNA8.3GHSA7.5
EPSS
0.3%
top 43.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Palo Alto Networks Pan-osPaloaltonetworks Pan-osPaloalto Pan-os
Timeline
PublishedMay 13
Latest updateMay 24

Description

A cleartext transmission of sensitive information vulnerability in Palo Alto Networks PAN-OS Panorama that discloses an authenticated PAN-OS administrator's PAN-OS session cookie. When an administrator issues a context switch request into a managed firewall with an affected PAN-OS Panorama version, their PAN-OS session cookie is transmitted over cleartext to the firewall. An attacker with the ability to intercept this network traffic between the firewall and Panorama can access the administrator

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDpaloaltonetworks/pan-os8.1.08.1.13+4
CVEListV5palo_alto_networks/pan-os9.09.0.6+4
Palo Altopaloalto/pan-os

🔴Vulnerability Details

3
GHSA
GHSA-3cj6-6mmq-x25x: A cleartext transmission of sensitive information vulnerability in Palo Alto Networks PAN-OS Panorama that discloses an authenticated PAN-OS administr2022-05-24
GHSA
Unsafe object creation in json RubyGem2020-07-27
CVEList
PAN-OS: Panorama context switch session cookie disclosure2020-05-13

💥Exploits & PoCs

4
Exploit-DB
IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP2021-06-07
Exploit-DB
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution2020-10-20
Exploit-DB
Microsoft SharePoint Server 2019 - Remote Code Execution2020-08-17
Exploit-DB
UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass2020-07-23

📋Vendor Advisories

2
Palo Alto
PAN-OS: Panorama context switch session cookie disclosure2020-05-13
Red Hat
php: multiple vulnerabilities in gdImageCrop()2014-02-06

💬Community

2
Bugzilla
CVE-2013-7489 python-beaker: Deserialization of Untrusted Data which can lead to Arbitrary code execution2020-06-23
Bugzilla
CVE-2013-2020 CVE-2013-2021 clamav: Multiple potential security issues fixed in upstream 0.97.8 version2013-04-24
CVE-2020-2013 — Palo Alto Networks Pan-os vulnerability | cvebase