CVE-2021-3044
published 2021-06-22CVE-2021-3044: An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.41%
69.2th percentile
An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. This issue impacts: Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064; Cortex XSOAR 6.2.0 builds earlier than 1271065. This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions. All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | cortex_xsoar | >= 1016923 < 6.1.0* | 6.1.0* |
| palo_alto_networks | cortex_xsoar | >= 6.2.0 < 1271065 | 1271065 |
| paloalto | cortex_xsoar | — | — |
| paloaltonetworks | cortex_xsoar | — | — |
| paloaltonetworks | cortex_xsoar | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated REST API requests to the Cortex XSOAR server — CVE-2021-3044 allows remote unauthenticated attackers to perform unauthorized actions via the REST API without valid credentials. ↗
- →Flag Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064, and Cortex XSOAR 6.2.0 builds earlier than 1271065 as vulnerable — these specific build ranges are the affected attack surface. ↗
- ·Cortex XSOAR 5.5.0, 6.0.0, 6.0.1, and 6.0.2 are NOT affected — do not flag these versions as vulnerable. ↗
- ·All Palo Alto Networks-hosted Cortex XSOAR instances were already patched; only self-hosted instances in the vulnerable build ranges require action. ↗
- ·As a temporary workaround (pre-patch), all active integration API keys must be revoked to prevent exploitation; new keys can be created after upgrading. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-266x-3x8x-xj7x: An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex
ghsa_unreviewed·2022-05-24
CVE-2021-3044 [CRITICAL] CWE-863 GHSA-266x-3x8x-xj7x: An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex
An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. This issue impacts: Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064; Cortex XSOAR 6.2.0 builds earlier than 1271065. This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions. All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances.
Palo Alto
Cortex XSOAR: Unauthorized Usage of the REST API
vendor_paloalto·2021-06-22·CVSS 9.8
CVE-2021-3044 [CRITICAL] CWE-285 Cortex XSOAR: Unauthorized Usage of the REST API
Cortex XSOAR: Unauthorized Usage of the REST API
An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API.
Affected products: Cortex XSOAR
Solution: This issue is fixed in Cortex XSOAR 6.1.0 build 1271064, Cortex XSOAR 6.2.0 build 1271065, and all later Cortex XSOAR versions.
Revoking the active integration API keys is not required if the XSOAR server is upgraded.
Workaround: Until the XSOAR server is upgraded, to completely prevent the issue from being exploited, you must revoke all active integration API keys as a workaround.
To revoke integration API keys from the Cortex XSOAR web client:
Settings > Integration > API Keys a
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-06-22
Published