CVE-2024-9471

09.10.2024, 17:15

A privilege escalation (PE) vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated PAN-OS administrator with restricted privileges to use a compromised XML API key to perform actions as a higher privileged PAN-OS administrator. For example, an administrator with "Virtual system administrator (read-only)" access could use an XML API key of a "Virtual system administrator" to perform write operations on the virtual system configuration even though they should be limited to read-only operations.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.7 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
palo_alto	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 42%

Vendor	Product	Version
paloaltonetworks	pan-os	9.0.0 ≤ 𝑥 < 10.0.0
paloaltonetworks	pan-os	10.1.0 ≤ 𝑥 < 10.1.11
paloaltonetworks	pan-os	10.2.0 ≤ 𝑥 < 10.2.8
paloaltonetworks	pan-os	11.0.0 ≤ 𝑥 < 11.0.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

https://security.paloaltonetworks.com/CVE-2024-9471