Lucene search

K
cvelistPalo_altoCVELIST:CVE-2021-3059
HistoryNov 10, 2021 - 5:10 p.m.

CVE-2021-3059 PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates

2021-11-1017:10:23
CWE-78
palo_alto
www.cve.org
4
palo alto networks
command injection
dynamic updates
privilege escalation
pan-os 8.1
pan-os 9.0
pan-os 9.1
pan-os 10.0
pan-os 10.1
prisma access 2.1

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

46.8%

An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue.

CNA Affected

[
  {
    "product": "PAN-OS",
    "vendor": "Palo Alto Networks",
    "versions": [
      {
        "changes": [
          {
            "at": "10.0.8",
            "status": "unaffected"
          }
        ],
        "lessThan": "10.0.8",
        "status": "affected",
        "version": "10.0",
        "versionType": "custom"
      },
      {
        "changes": [
          {
            "at": "10.1.3",
            "status": "unaffected"
          }
        ],
        "lessThan": "10.1.3",
        "status": "affected",
        "version": "10.1",
        "versionType": "custom"
      },
      {
        "changes": [
          {
            "at": "8.1.20-h1",
            "status": "unaffected"
          }
        ],
        "lessThan": "8.1.20-h1",
        "status": "affected",
        "version": "8.1",
        "versionType": "custom"
      },
      {
        "changes": [
          {
            "at": "9.0.14-h3",
            "status": "unaffected"
          }
        ],
        "lessThan": "9.0.14-h3",
        "status": "affected",
        "version": "9.0",
        "versionType": "custom"
      },
      {
        "changes": [
          {
            "at": "9.1.11-h2",
            "status": "unaffected"
          }
        ],
        "lessThan": "9.1.11-h2",
        "status": "affected",
        "version": "9.1",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Prisma Access",
    "vendor": "Palo Alto Networks",
    "versions": [
      {
        "status": "affected",
        "version": "2.1 Innovation"
      },
      {
        "status": "affected",
        "version": "2.1 Preferred"
      },
      {
        "lessThan": "2.2*",
        "status": "unaffected",
        "version": "all",
        "versionType": "custom"
      }
    ]
  }
]

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

46.8%

Related for CVELIST:CVE-2021-3059