CVE-2024-0008 - OpenCVE

Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://security.paloaltonetworks.com/CVE-2024-0008

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: palo_alto

Published: 2024-02-14T17:32:17.611Z

Updated: 2024-02-14T17:32:17.611Z

Reserved: 2023-11-09T18:56:05.666Z

Link: CVE-2024-0008

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-02-14T18:15:47.310

Modified: 2024-02-15T06:23:39.303

Link: CVE-2024-0008

JSON object: View

Redhat Information

No data.

CWE

CWE-613

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-0008", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "state": "PUBLISHED", "assignerShortName": "palo_alto", "dateReserved": "2023-11-09T18:56:05.666Z", "datePublished": "2024-02-14T17:32:17.611Z", "dateUpdated": "2024-02-14T17:32:17.611Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PAN-OS", "vendor": "Palo Alto Networks", "versions": [{"changes": [{"at": "9.0.17-h2", "status": "unaffected"}], "lessThan": "9.0.17-h2", "status": "affected", "version": "9.0", "versionType": "custom"}, {"changes": [{"at": "9.0.18", "status": "unaffected"}], "lessThan": "9.0.18", "status": "affected", "version": "9.0", "versionType": "custom"}, {"changes": [{"at": "9.1.17", "status": "unaffected"}], "lessThan": "9.1.17", "status": "affected", "version": "9.1", "versionType": "custom"}, {"changes": [{"at": "10.0.12-h1", "status": "unaffected"}], "lessThan": "10.0.12-h1", "status": "affected", "version": "10.0", "versionType": "custom"}, {"changes": [{"at": "10.0.13", "status": "unaffected"}], "lessThan": "10.0.13", "status": "affected", "version": "10.0", "versionType": "custom"}, {"changes": [{"at": "10.1.10-h1", "status": "unaffected"}], "lessThan": "10.1.10-h1", "status": "affected", "version": "10.1", "versionType": "custom"}, {"changes": [{"at": "10.1.11", "status": "unaffected"}], "lessThan": "10.1.11", "status": "affected", "version": "10.1", "versionType": "custom"}, {"changes": [{"at": "10.2.5", "status": "unaffected"}], "lessThan": "10.2.5", "status": "affected", "version": "10.2", "versionType": "custom"}, {"changes": [{"at": "11.0.2", "status": "unaffected"}], "lessThan": "11.0.2", "status": "affected", "version": "11.0", "versionType": "custom"}, {"lessThan": "All", "status": "unaffected", "version": "11.1", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Prisma Access", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "All"}]}, {"defaultStatus": "unaffected", "product": "Cloud NGFW", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "All"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Palo Alto Networks thanks Brian Yaklin for discovering and reporting this issue."}], "datePublic": "2024-02-14T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access."}], "value": "Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.<br>"}], "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2024-02-14T17:32:17.611Z"}, "references": [{"url": "https://security.paloaltonetworks.com/CVE-2024-0008"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This issue is fixed in PAN-OS 9.0.17-h2, PAN-OS 9.1.17, PAN-OS 10.0.12-h1, PAN-OS 10.1.10-h1, PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions."}], "value": "This issue is fixed in PAN-OS 9.0.17-h2, PAN-OS 9.1.17, PAN-OS 10.0.12-h1, PAN-OS 10.1.10-h1, PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions."}], "source": {"defect": ["PAN-211664"], "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2024-02-14T17:00:00.000Z", "value": "Initial publication"}], "title": "PAN-OS: Insufficient Session Expiration Vulnerability in the Web Interface", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Ensure that inactivity-based screen locks are enforced on endpoints with access to the PAN-OS web interface."}], "value": "Ensure that inactivity-based screen locks are enforced on endpoints with access to the PAN-OS web interface."}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}