PAN-OS: OS Command Injection Vulnerability in Web Interface XML API

CVE-2021-3058

8.8HIGH

Key Information

Vendor: Palo Alto Networks
Status: Pan-os; Prisma Access
Vendor: CVE Published:; 10 November 2021

Badges

👾 Exploit Exists

Summary

An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permissions to use XML API the ability to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. This issue does not impact Prisma Access firewalls.

Affected Version(s)

PAN-OS < 10.1.3

PAN-OS < 9.0.14-h3

PAN-OS < 8.1.20-h1

Refferences

https://security.paloaltonetworks.com/CVE-2021-3058

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit known to exist
Aug 3, 2024
Vulnerability published
Nov 10, 2021
Vulnerability Reserved
Jan 6, 2021

Collectors

NVD DatabaseMitre Database

Credit

Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue.