Palo Alto Networks Security Advisories / PAN-SA-2016-0010

PAN-SA-2016-0010 Update Server API Exposure


047910
Severity 0 · NONE
Attack Vector Not applicable
Scope Not applicable
Attack Complexity Not applicable
Confidentiality Impact NONE
Privileges Required Not applicable
Integrity Impact NONE
User Interaction Not applicable
Availability Impact NONE
JSON CSAF
Published 2016-07-01
Updated 2016-07-01
Reference PAN-SA-2016-0010

Description

The Palo Alto Networks update server enables downloading of PAN-OS software releases and dynamic updates through a public API. Some functions of the API were inadvertently exposed to the public.

API functions publicly available and exclusively used by internal workflow allowed for remote call. This did not affect Palo Alto Networks customers’ security posture, but some Palo Alto Networks update server data could be accessed.

This issue affects Palo Alto Networks update server

Product Status

VersionsAffectedUnaffected
Update server NoneNone

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

Solution

N/A

Workarounds and Mitigations

API functions that are utilized only by Palo Alto Networks backend systems have been migrated to an internal-facing only server. Externally facing functions that were deprecated or unused have been removed from the public-facing server.

Acknowledgments

Palo Alto Networks thanks Mikail Tunç for discovering and reporting the issue.
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.