Palo Alto Networks Security Advisories / PAN-SA-2016-0016

PAN-SA-2016-0016 Web Interface Privilege Escalation

Severity 7.8 · HIGH
Attack Vector LOCAL
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required LOW
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH


Palo Alto Networks Panorama administrators have the ability to assign predefined permissions to users created on PAN-OS. A read-only user with CLI access could elevate web interface privileges. (Ref. 88191)

A user could elevate privileges by impersonating another user with higher permissions.

This issue affects PAN-OS 5.0.18 and earlier; PAN-OS 5.1.11 and earlier; PAN-OS 6.0.13 and earlier; PAN-OS 6.1.10 and earlier; PAN-OS 7.0.4 and earlier

Product Status

PAN-OS 7.0<= 7.0.4>= 7.0.5
PAN-OS 6.1<= 6.1.10>= 6.1.11
PAN-OS 6.0<= 6.0.13>= 6.0.14
PAN-OS 5.1<= 5.1.11>= 5.1.12
PAN-OS 5.0<= 5.0.18>= 5.0.19

Severity: HIGH

CVSSv3.1 Base Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Weakness Type


PAN-OS 5.0.19 and later; PAN-OS 5.1.12 and later; PAN-OS 6.0.14 and later; PAN-OS 6.1.11 and later; PAN-OS 7.0.5 and later

Workarounds and Mitigations

Customers running versions of Panorama affected by this issue could create a custom admin role that does not allow CLI access and to avoid any privilege escalation. Firewalls running PAN-OS are not affected by this issue.


John Perry, the Boeing Company
© 2024 Palo Alto Networks, Inc. All rights reserved.