An external control of path and data vulnerability in the Palo Alto Networks PAN-OS Panorama XSLT processing logic that allows an unauthenticated user with network access to PAN-OS management interface to write attacker supplied file on the system and elevate privileges.
This issue affects:
All PAN-OS 7.1 Panorama and 8.0 Panorama versions;
PAN-OS 8.1 versions earlier than 8.1.12 on Panorama;
PAN-OS 9.0 versions earlier than 9.0.6 on Panorama.
|9.0||< 9.0.6||>= 9.0.6|
|8.1||< 8.1.12||>= 8.1.12|
CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
This issue is fixed in PAN-OS 8.1.12, PAN-OS 9.0.6, and all later PAN-OS versions.
PAN-OS 7.1 is on extended support until June 30, 2020, and is only being considered for critical security vulnerability fixes.
PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.