cbcvebase.
CVE-2021-3044
published 2021-06-22

CVE-2021-3044: An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.41%
69.2th percentile
An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. This issue impacts: Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064; Cortex XSOAR 6.2.0 builds earlier than 1271065. This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions. All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances.

Affected

5 ranges
VendorProductVersion rangeFixed in
palo_alto_networkscortex_xsoar>= 1016923 < 6.1.0*6.1.0*
palo_alto_networkscortex_xsoar>= 6.2.0 < 12710651271065
paloaltocortex_xsoar
paloaltonetworkscortex_xsoar
paloaltonetworkscortex_xsoar

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for unauthenticated REST API requests to the Cortex XSOAR server — CVE-2021-3044 allows remote unauthenticated attackers to perform unauthorized actions via the REST API without valid credentials.
  • Flag Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064, and Cortex XSOAR 6.2.0 builds earlier than 1271065 as vulnerable — these specific build ranges are the affected attack surface.
  • ·Cortex XSOAR 5.5.0, 6.0.0, 6.0.1, and 6.0.2 are NOT affected — do not flag these versions as vulnerable.
  • ·All Palo Alto Networks-hosted Cortex XSOAR instances were already patched; only self-hosted instances in the vulnerable build ranges require action.
  • ·As a temporary workaround (pre-patch), all active integration API keys must be revoked to prevent exploitation; new keys can be created after upgrading.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.