Lucene search

Palo_altoCVELIST:CVE-2020-1993

HistoryMay 13, 2020 - 12:00 a.m.

CVE-2020-1993 PAN-OS: GlobalProtect Portal PHP session fixation vulnerability

2020-05-1300:00:00

CWE-384

palo_alto

www.cve.org

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

22.9%

JSON

The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user’s session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8.

CNA Affected

[
  {
    "product": "PAN-OS",
    "vendor": "Palo Alto Networks",
    "versions": [
      {
        "status": "affected",
        "version": "8.0.*"
      },
      {
        "status": "affected",
        "version": "7.1.*"
      },
      {
        "changes": [
          {
            "at": "8.1.14",
            "status": "unaffected"
          }
        ],
        "lessThan": "8.1.14",
        "status": "affected",
        "version": "8.1",
        "versionType": "custom"
      },
      {
        "changes": [
          {
            "at": "9.0.8",
            "status": "unaffected"
          }
        ],
        "lessThan": "9.0.8",
        "status": "affected",
        "version": "9.0",
        "versionType": "custom"
      },
      {
        "lessThan": "9.2*",
        "status": "unaffected",
        "version": "9.2.0",
        "versionType": "custom"
      },
      {
        "lessThan": "9.1*",
        "status": "unaffected",
        "version": "9.1.0",
        "versionType": "custom"
      }
    ]
  }
]

References

security.paloaltonetworks.com/CVE-2020-1993