Palo Alto Networks Security Advisories / PAN-SA-2021-0001

PAN-SA-2021-0001 Informational: Cortex XSOAR: Impact of Golang XML parsing vulnerabilities

047910
Severity 0 · NONE
Attack Vector Not applicable
Scope Not applicable
Attack Complexity Not applicable
Confidentiality Impact NONE
Privileges Required Not applicable
Integrity Impact NONE
User Interaction Not applicable
Availability Impact NONE

Description

The Palo Alto Networks Product Security Assurance team evaluated the vulnerabilities (CVE-2020-29509, CVE-2020-29510, and CVE-2020-29511) that impact the standard Golang XML parsing library.

All versions of Cortex XSOAR use a version of Golang that contains these vulnerabilities but there are no scenarios for successful exploitation of them in Cortex XSOAR.

As a result, there is no known security impact for these issues in Cortex XSOAR. However, out of an abundance of caution, we removed the impacted Golang code entirely from Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.2, and all later versions of Cortex XSOAR.

CVECVSSSummary
CVE-2020-295095.6 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)Conditions required for exploiting this vulnerability do not exist in Cortex XSOAR software. Therefore, Cortex XSOAR is not impacted.
CVE-2020-295105.6 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)Conditions required for exploiting this vulnerability do not exist in Cortex XSOAR software. Therefore, Cortex XSOAR is not impacted.
CVE-2020-295115.6 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)Conditions required for exploiting this vulnerability do not exist in Cortex XSOAR software. Therefore, Cortex XSOAR is not impacted.

Product Status

VersionsAffectedUnaffected
Cortex XSOAR 6.0< 6.0.2>= 6.0.2
Cortex XSOAR 5.5None5.5.*

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)

Solution

Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.2, and all later versions of Cortex XSOAR do not include the impacted Golang code.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.