Lucene search

K
cvelistPalo_altoCVELIST:CVE-2024-3400
HistoryApr 12, 2024 - 7:20 a.m.

CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

2024-04-1207:20:00
CWE-20
CWE-77
palo_alto
www.cve.org
cve-2024-3400
pan-os
command injection
globalprotect
palo alto networks
vulnerability
unauthenticated attacker
root privileges
firewall
cloud ngfw
panorama
prisma access

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.957 High

EPSS

Percentile

99.4%

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "PAN-OS",
    "vendor": "Palo Alto Networks",
    "versions": [
      {
        "status": "unaffected",
        "version": "9.0.0"
      },
      {
        "status": "unaffected",
        "version": "9.1.0"
      },
      {
        "status": "unaffected",
        "version": "10.0.0"
      },
      {
        "status": "unaffected",
        "version": "10.1.0"
      },
      {
        "changes": [
          {
            "at": "10.2.9-h1",
            "status": "unaffected"
          }
        ],
        "lessThan": "10.2.9-h1",
        "status": "affected",
        "version": "10.2.0",
        "versionType": "custom"
      },
      {
        "changes": [
          {
            "at": "11.0.4-h1",
            "status": "unaffected"
          }
        ],
        "lessThan": "11.0.4-h1",
        "status": "affected",
        "version": "11.0.0",
        "versionType": "custom"
      },
      {
        "changes": [
          {
            "at": "11.1.2-h3",
            "status": "unaffected"
          }
        ],
        "lessThan": "11.1.2-h3",
        "status": "affected",
        "version": "11.1.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Cloud NGFW",
    "vendor": "Palo Alto Networks",
    "versions": [
      {
        "status": "unaffected",
        "version": "All"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Prisma Access",
    "vendor": "Palo Alto Networks",
    "versions": [
      {
        "status": "unaffected",
        "version": "All"
      }
    ]
  }
]

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.957 High

EPSS

Percentile

99.4%