CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2021-3062 – PAN-OS: Improper Access Control Vulnerability Exposing AWS Instance Metadata Endpoint to GlobalProtect Users
https://notcve.org/view.php?id=CVE-2021-3062
An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls. Prisma Access customers are not impacted by this issue. Una vulnerabilidad de control de acceso inapropiada en el software PAN-OS permite a un atacante con acceso autenticado a los portales y puertas de enlace de GlobalProtect conectarse al endpoint de metadatos de la instancia EC2 para los firewalls VM-Series alojados en Amazon AWS. • https://security.paloaltonetworks.com/CVE-2021-3062 • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 0%CPEs: 7EXPL: 0CVE-2021-3061 – PAN-OS: OS Command Injection Vulnerability in the Command Line Interface (CLI)
https://notcve.org/view.php?id=CVE-2021-3061
An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 firewalls are impacted by this issue. Una vulnerabilidad de inyección de comandos del sistema operativo en la interfaz de línea de comandos (CLI) de PAN-OS de Palo Alto Networks permite que un administrador autenticado con acceso a la CLI ejecute comandos arbitrarios del sistema operativo para aumentar sus privilegios. Este problema afecta a: PAN-OS versiones 8.1 anteriores a PAN-OS 8.1.20-h1; PAN-OS versiones 9.0 anteriores a PAN-OS 9.0.14-h3; PAN-OS versiones 9.1 anteriores a PAN-OS 9.1.11-h2; PAN-OS versiones 10.0 anteriores a PAN-OS 10.0.8; PAN-OS versiones 10.1 anteriores a PAN-OS 10.1.3. • https://security.paloaltonetworks.com/CVE-2021-3061 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.3EPSS: 0%CPEs: 7EXPL: 1CVE-2021-3060 – PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP)
https://notcve.org/view.php?id=CVE-2021-3060
An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue. Una vulnerabilidad de inyección de comandos del sistema operativo en la función Simple Certificate Enrollment Protocol (SCEP) del software PAN-OS permite a un atacante no autenticado basado en la red con conocimientos específicos de la configuración del firewalls ejecutar código arbitrario con privilegios de usuario root. • https://github.com/anmolksachan/CVE-2021-3060 https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html https://security.paloaltonetworks.com/CVE-2021-3060 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2021-3059 – PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates
https://notcve.org/view.php?id=CVE-2021-3059
An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue. Se presenta una vulnerabilidad de inyección de comandos del sistema operativo en la interfaz de administración de PAN-OS de Palo Alto Networks cuando se llevan a cabo actualizaciones dinámicas. • https://security.paloaltonetworks.com/CVE-2021-3059 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2021-3058 – PAN-OS: OS Command Injection Vulnerability in Web Interface XML API
https://notcve.org/view.php?id=CVE-2021-3058
An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permissions to use XML API the ability to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. This issue does not impact Prisma Access firewalls. Una vulnerabilidad de inyección de comandos del sistema operativo en la interfaz web de Palo Alto Networks PAN-OS permite a un administrador autenticado con permisos para usar la API XML la capacidad de ejecutar comandos arbitrarios del sistema operativo para escalar privilegios. Este problema afecta a: PAN-OS versiones 8.1 anteriores a PAN-OS 8.1.20-h1; PAN-OS versiones 9.0 anteriores a PAN-OS 9.0.14-h3; PAN-OS versiones 9.1 anteriores a PAN-OS 9.1.11-h2; PAN-OS versiones 10.0 anteriores a PAN-OS 10.0.8; PAN-OS versiones 10.1 anteriores a PAN-OS 10.1.3. • https://security.paloaltonetworks.com/CVE-2021-3058 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •