The Palo Alto Networks firewalls API browser does not properly use the REST API tokens. In a specific scenario, an attacker could steal the authentication token and perform calls to the firewall’s API. (Ref # PAN-61046/PAN-100428)
This post-authentication issue requires the attacker to have access to a logged-in administrator’s browser.
This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.4 and earlier
Versions | Affected | Unaffected |
---|---|---|
PAN-OS 7.1 | <= 7.1.4 | >= 7.1.5 |
PAN-OS 7.0 | <= 7.0.10 | >= 7.0.11 |
PAN-OS 6.1 | <= 6.1.14 | >= 6.1.15 |
PAN-OS 6.0 | <= 6.0.14 | >= 6.0.15 |
PAN-OS 5.1 | <= 5.1.12 | >= 5.1.13 |
PAN-OS 5.0 | <= 5.0.19 | >= 5.0.20 |
CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.5 and later