CVE-2024-5918

Published: Nov 14, 2024Modified: Oct 1, 2025

5.3

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:C/RE:M/U:Amber

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:C/RE:M/U:AmberShow less

Source: psirt@paloaltonetworks.com (Secondary)

Description

An improper certificate validation vulnerability in Palo Alto Networks PAN-OS software enables an authorized user with a specially crafted client certificate to connect to an impacted GlobalProtect portal or GlobalProtect gateway as a different legitimate user. This attack is possible only if you "Allow Authentication with User Credentials OR Client Certificate."

Affected (7)

Products: Paloaltonetworks: Pan Os

Paloaltonetworks

1 product

Pan Os

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Paloaltonetworks Pan Os	From 10.1.0 to 10.1.11
Paloaltonetworks Pan Os	From 10.2.0 to 10.2.4
Paloaltonetworks Pan Os	From 11.0.0 to 11.0.3
Paloaltonetworks Pan Os	Version 10.2.4
Paloaltonetworks Pan Os	Version 10.2.4 h2
Paloaltonetworks Pan Os	Version 10.2.4 h3
Paloaltonetworks Pan Os	Version 10.2.4 h4

Related CWEs

CWE-295

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (1)

https://security.paloaltonetworks.com/CVE-2024-5918

Source: psirt@paloaltonetworks.com

Vendor Advisory

Timeline

No history available yet.