CVE-2024-3383 — Improper Ownership Management in Palo Alto Networks Pan-os

CWE-282 — Improper Ownership Management4 documents4 sources

Severity

9.1CRITICALNVD

CNA7.4

EPSS

0.2%

top 51.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Palo Alto Networks Pan-os Paloaltonetworks Pan-os Paloalto Cloud Ngfw +2 more

Timeline

PublishedApr 10

Description

A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. This impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages5 packages

▶NVDpaloaltonetworks/pan-os10.1.0 — 10.1.11+2

▶CVEListV5palo_alto_networks/pan-os11.0.0 — 11.0.3+2

▶Palo Altopaloalto/prisma_access

▶Palo Altopaloalto/cloud_ngfw

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

CVEList

PAN-OS: Improper Group Membership Change Vulnerability in Cloud Identity Engine (CIE)↗2024-04-10

▶

GHSA

GHSA-wvjp-4x3w-pvqx: A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User↗2024-04-10

▶

📋Vendor Advisories

Palo Alto

PAN-OS: Improper Group Membership Change Vulnerability in Cloud Identity Engine (CIE)↗2024-04-10

▶