Palo Alto Networks Security Advisories / PAN-SA-2016-0016

PAN-SA-2016-0016 Web Interface Privilege Escalation


047910
Severity 7.8 · HIGH
Attack Vector LOCAL
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required LOW
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH
JSON CSAF
Published 2016-07-15
Updated 2016-07-15
Reference 88191, PAN-SA-2016-0016

Description

Palo Alto Networks Panorama administrators have the ability to assign predefined permissions to users created on PAN-OS. A read-only user with CLI access could elevate web interface privileges. (Ref. 88191)

A user could elevate privileges by impersonating another user with higher permissions.

This issue affects PAN-OS 5.0.18 and earlier; PAN-OS 5.1.11 and earlier; PAN-OS 6.0.13 and earlier; PAN-OS 6.1.10 and earlier; PAN-OS 7.0.4 and earlier

Product Status

VersionsAffectedUnaffected
PAN-OS 7.0<= 7.0.4>= 7.0.5
PAN-OS 6.1<= 6.1.10>= 6.1.11
PAN-OS 6.0<= 6.0.13>= 6.0.14
PAN-OS 5.1<= 5.1.11>= 5.1.12
PAN-OS 5.0<= 5.0.18>= 5.0.19

Severity: HIGH

CVSSv3.1 Base Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Solution

PAN-OS 5.0.19 and later; PAN-OS 5.1.12 and later; PAN-OS 6.0.14 and later; PAN-OS 6.1.11 and later; PAN-OS 7.0.5 and later

Workarounds and Mitigations

Customers running versions of Panorama affected by this issue could create a custom admin role that does not allow CLI access and to avoid any privilege escalation. Firewalls running PAN-OS are not affected by this issue.

Acknowledgments

Palo Alto Networks thanks John Perry, the Boeing Company for discovering and reporting the issue."
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.