CVE-2020-2035Improper Input Validation in Palo Alto Networks Pan-os

CWE-20Improper Input Validation4 documents4 sources
Severity
3.0LOWNVD
EPSS
0.3%
top 50.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Palo Alto Networks Pan-osPaloalto Pan-os
Timeline
PublishedAug 12
Latest updateMay 24

Description

When SSL/TLS Forward Proxy Decryption mode has been configured to decrypt the web transactions, the PAN-OS URL filtering feature inspects the HTTP Host and URL path headers for policy enforcement on the decrypted HTTPS web transactions but does not consider Server Name Indication (SNI) field within the TLS Client Hello handshake. This allows a compromised host in a protected network to evade any security policy that uses URL filtering on a firewall configured with SSL Decryption in the Forward P

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:NExploitability: 1.3 | Impact: 1.4

Affected Packages2 packages

CVEListV5palo_alto_networks/pan-os5 versions+4
Palo Altopaloalto/pan-os

🔴Vulnerability Details

2
GHSA
GHSA-j3cp-2wgv-xj2j: When SSL/TLS Forward Proxy Decryption mode has been configured to decrypt the web transactions, the PAN-OS URL filtering feature inspects the HTTP Hos2022-05-24
CVEList
PAN-OS: URL filtering policy is not enforced on TLS handshakes for decrypted HTTPS sessions2020-08-12

📋Vendor Advisories

1
Palo Alto
PAN-OS: URL filtering policy is not enforced on TLS handshakes for decrypted HTTPS sessions2020-08-12
CVE-2020-2035 — Improper Input Validation in Palo | cvebase