CVE-2020-2022 HIGH

CVE-2020-2022: PAN-OS: Panorama session disclosure during context switch into managed device

Vendor Palo Alto Networks
Product PAN-OS
Weakness CWE-200 · Info exposure
Published November 12, 2020
Last update September 16, 2024
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

An information exposure vulnerability exists in Palo Alto Networks Panorama software that discloses the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performs a context switch into that device. This vulnerability allows an attacker to gain privileged access to the Panorama web interface. An attacker requires some knowledge of managed firewalls to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5.

Key dates

02Disclosure timeline

November 12, 2020 CVE published
September 16, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-34244 Weblate: SSRF via Project-Level Machinery Configuration CVE-2026-0789 ALGO 8180 IP Audio Alerter Web UI Inclusion of Authentication Cookie in Response Body Information Disclosure Vulnerability CVE-2024-11008 Members <= 3.2.10 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure CVE-2024-7128 Openshift-console: unauthenticated data exposure CVE-2024-5067 Exposure of Sensitive Information to an Unauthorized Actor in GitLab