CVE-2024-5919 PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability

Palo Alto Networks Security Advisories / CVE-2024-5919

CVE-2024-5919 PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability

Urgency MODERATE

Severity 1.2 · LOW

Exploit Maturity UNREPORTED

Response Effort MODERATE

Recovery AUTOMATIC

Value Density CONCENTRATED

Attack Vector NETWORK

Attack Complexity LOW

Attack Requirements NONE

Automatable NO

User Interaction NONE

Product Confidentiality LOW

Product Integrity LOW

Product Availability NONE

Privileges Required HIGH

Subsequent Confidentiality NONE

Subsequent Integrity NONE

Subsequent Availability NONE

NVD JSON

Published 2024-11-13

Updated 2024-11-13

Reference PAN-205062

Discovered externally

Description

A blind XML External Entities (XXE) injection vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker to exfiltrate arbitrary files from firewalls to an attacker controlled server. This attack requires network access to the firewall management interface.

Product Status

Versions	Affected	Unaffected
Cloud NGFW	None	All
PAN-OS 11.2	None	All
PAN-OS 11.1	None	All
PAN-OS 11.0	< 11.0.2	>= 11.0.2
PAN-OS 10.2	< 10.2.5	>= 10.2.5
PAN-OS 10.1	< 10.1.10	>= 10.1.10
Prisma Access	None	All

Severity: LOW, Suggested Urgency: MODERATE

CVSS-BT: 1.2 / CVSS-B: 5.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:A/V:C/RE:M/U:Amber

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-611 Improper Restriction of XML External Entity Reference

Solution

This issue is fixed in PAN-OS 10.1.10, PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions.

Acknowledgments

Palo Alto Networks thanks Dan Marin of Deloitte, Cristian Mocanu of Deloitte, and Alex Hordijk for discovering and reporting the issue.

CPEs

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1:-:*:*:*:*:*:*

Show MoreShow Less

Timeline

2024-11-13 Initial publication