PAN-OS: Unsigned Code Execution During Plugin Installation Race Condition Vulnerability
CVE-2021-3054
7.2HIGH
Key Information
- Vendor
- Palo Alto Networks
- Status
- Pan-os
- Vendor
- CVE Published:
- 8 September 2021
Badges
👾 Exploit Exists
Summary
A time-of-check to time-of-use (TOCTOU) race condition vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11; PAN-OS 10.0 versions earlier than PAN-OS 10.0.7; PAN-OS 10.1 versions earlier than PAN-OS 10.1.2. This issue does not affect Prisma Access.
Affected Version(s)
PAN-OS < 8.1.20
PAN-OS < 9.0.14
PAN-OS < 10.0.7
CVSS V3.1
Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
- 👾
Exploit exists.
Risk change from: 6.6 to: 7.2 - (HIGH)
Initial publication
Vulnerability published.
Vulnerability Reserved.
Collectors
NVD DatabaseMitre Database
Credit
Palo Alto Networks thanks Praetorian for discovering and reporting this issue.