Lucene search

Palo_altoVULNRICHMENT:CVE-2024-2433

HistoryMar 13, 2024 - 5:51 p.m.

CVE-2024-2433 PAN-OS: Improper Privilege Management Vulnerability in Panorama Software Leads to Availability Loss

2024-03-1317:51:45

CWE-269

palo_alto

github.com

cve-2024-2433

palo alto networks

panorama software

privilege management

availability loss

authorization vulnerability

web interface

disk partitions

management plane unaffected

data plane

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

AI Score

7.1

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the disk partitions with those uploaded files, which prevents the ability to log into the web interface or to download PAN-OS, WildFire, and content images.

This issue affects only the web interface of the management plane; the dataplane is unaffected.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*"
    ],
    "vendor": "paloaltonetworks",
    "product": "pan-os",
    "versions": [
      {
        "status": "affected",
        "version": "9.0",
        "lessThan": "9.0.17-h4",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "9.1",
        "lessThan": "9.1.17",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "10.1",
        "lessThan": "10.1.12",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "10.2",
        "lessThan": "10.2.8",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "11.0",
        "lessThan": "11.0.3",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "cpes": [
      "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:*:*:*:*:*:*"
    ],
    "vendor": "paloaltonetworks",
    "product": "pan-os",
    "versions": [
      {
        "status": "unaffected",
        "version": "11.1.0"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "cpes": [
      "cpe:2.3:a:paloaltonetworks:cloud_ngfw:*:*:*:*:*:*:*:*"
    ],
    "vendor": "paloaltonetworks",
    "product": "cloud_ngfw",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "*"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "cpes": [
      "cpe:2.3:a:paloaltonetworks:prisma_access:*:*:*:*:*:*:*:*"
    ],
    "vendor": "paloaltonetworks",
    "product": "prisma_access",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "*"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

security.paloaltonetworks.com/CVE-2024-2433

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

AI Score

7.1

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-2433