CVE-2024-2433

PAN-OS: Improper Privilege Management Vulnerability in Panorama Software Leads to Availability Loss

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the disk partitions with those uploaded files, which prevents the ability to log into the web interface or to download PAN-OS, WildFire, and content images.

This issue affects only the web interface of the management plane; the dataplane is unaffected.

Una vulnerabilidad de autorización inadecuada en el software Panorama de Palo Alto Networks permite que un administrador autenticado de solo lectura cargue archivos utilizando la interfaz web y llene completamente una de las particiones del disco con esos archivos cargados, lo que impide iniciar sesión en la interfaz web o descargarlos. PAN-OS, WildFire e imágenes de contenido. Este problema afecta únicamente a la interfaz web del plano de gestión; el plano de datos no se ve afectado.

*Credits: Palo Alto Networks thanks Omar Eissa (https://de.linkedin.com/in/oeissa) for discovering and reporting this issue.

CVSS Scores

Palo Altov3.1 4.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-02-06 First Exploit
2024-03-13 CVE Reserved
2024-03-13 CVE Published
2024-03-14 EPSS Updated
2024-08-12 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-269: Improper Privilege Management

CAPEC

References (3)

URL	Tag	Source
https://security.paloaltonetworks.com/CVE-2024-2433

URL	Date	SRC
https://github.com/nitipoom-jar/CVE-2024-24337	2024-02-06
https://github.com/nitipoom-jar/CVE-2024-24336	2024-02-06

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Palo Alto Networks Search vendor "Palo Alto Networks"		PAN-OS Search vendor "Palo Alto Networks" for product "PAN-OS"				>= 9.1.0 < 9.1.17 Search vendor "Palo Alto Networks" for product "PAN-OS" and version " >= 9.1.0 < 9.1.17"		en		Affected
Palo Alto Networks Search vendor "Palo Alto Networks"		PAN-OS Search vendor "Palo Alto Networks" for product "PAN-OS"				>= 10.1.0 < 10.1.12 Search vendor "Palo Alto Networks" for product "PAN-OS" and version " >= 10.1.0 < 10.1.12"		en		Affected
Palo Alto Networks Search vendor "Palo Alto Networks"		PAN-OS Search vendor "Palo Alto Networks" for product "PAN-OS"				>= 10.2.0 < 10.2.8 Search vendor "Palo Alto Networks" for product "PAN-OS" and version " >= 10.2.0 < 10.2.8"		en		Affected
Palo Alto Networks Search vendor "Palo Alto Networks"		PAN-OS Search vendor "Palo Alto Networks" for product "PAN-OS"				>= 11.0.0 < 11.0.3 Search vendor "Palo Alto Networks" for product "PAN-OS" and version " >= 11.0.0 < 11.0.3"		en		Affected