CVE-2024-2433

EUVD-2024-27384

13.03.2024, 18:15

An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the disk partitions with those uploaded files, which prevents the ability to log into the web interface or to download PAN-OS, WildFire, and content images. 



This issue affects only the web interface of the management plane; the dataplane is unaffected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Affected Products (NVD)

Vendor	Product	Version
paloaltonetworks	pan-os	𝑥 < 9.0.17
paloaltonetworks	pan-os	9.1.0 ≤ 𝑥 < 9.1.17
paloaltonetworks	pan-os	10.1.0 ≤ 𝑥 < 10.1.12
paloaltonetworks	pan-os	10.2.0 ≤ 𝑥 < 10.2.8
paloaltonetworks	pan-os	11.0.0 ≤ 𝑥 < 11.0.3
paloaltonetworks	pan-os	9.0.17
paloaltonetworks	pan-os	9.0.17:h1

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
paloaltonetworks	pan-os	9.0 ≤ 𝑥 < 9.0.17-h4	ADP
paloaltonetworks	pan-os	9.1 ≤ 𝑥 < 9.1.17	ADP
paloaltonetworks	pan-os	10.1 ≤ 𝑥 < 10.1.12	ADP
paloaltonetworks	pan-os	10.2 ≤ 𝑥 < 10.2.8	ADP
paloaltonetworks	pan-os	11.0 ≤ 𝑥 < 11.0.3	ADP
paloaltonetworks	cloud_ngfw	𝑥 ≤ *	ADP
paloaltonetworks	prisma_access	𝑥 ≤ *	ADP

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

https://security.paloaltonetworks.com/CVE-2024-2433