Palo Alto Networks Security Advisories / CVE-2021-3045

CVE-2021-3045 PAN-OS: OS Command Argument Injection in Web Interface

047910
Severity 4.9 · MEDIUM
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required HIGH
Integrity Impact NONE
User Interaction NONE
Availability Impact NONE
NVD JSON
Published 2021-08-11
Updated 2021-08-11
Reference PAN-147781
Discovered externally

Description

An OS command argument injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the file system.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.19;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.14;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.10.

PAN-OS 10.0 and later versions are not impacted.

Product Status

VersionsAffectedUnaffected
PAN-OS 10.1None10.1.*
PAN-OS 10.0None10.0.*
PAN-OS 9.1< 9.1.10>= 9.1.10
PAN-OS 9.0< 9.0.14>= 9.0.14
PAN-OS 8.1< 8.1.19>= 8.1.19

Severity: MEDIUM

CVSSv3.1 Base Score: 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Weakness Type

CWE-88 Argument Injection or Modification

Solution

This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.14, PAN-OS 9.1.10, and all later PAN-OS versions.

Workarounds and Mitigations

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following best practices for securing the PAN-OS web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

Acknowledgments

Palo Alto Networks thanks Brandon Vincent for discovering and reporting this issue.

Timeline

Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2024 Palo Alto Networks, Inc. All rights reserved.