CVE-2021-3062

Published: Nov 10, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls. Prisma Access customers are not impacted by this issue.

Affected (4)

Products: Paloaltonetworks: Pan Os

Paloaltonetworks

1 product

Pan Os

Configuration A

4 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Paloaltonetworks Pan Os	From 10.0.0 to 10.0.8
Paloaltonetworks Pan Os	From 8.1.0 to 8.1.20
Paloaltonetworks Pan Os	From 9.0.0 to 9.0.14
Paloaltonetworks Pan Os	From 9.1.0 to 9.1.11

Running on/with	Platform Versions
Paloaltonetworks Vm Series Firewall	All versions

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (2)

https://security.paloaltonetworks.com/CVE-2021-3062

Source: psirt@paloaltonetworks.com

Vendor Advisory

https://security.paloaltonetworks.com/CVE-2021-3062

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.