CVE-2024-9471 MEDIUM

CVE-2024-9471: PAN-OS: Privilege Escalation (PE) Vulnerability in XML API

Vendor Palo Alto Networks

Product PAN-OS

Weakness CWE-269

Published October 9, 2024

Last update October 18, 2024

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Green

What the vulnerability does

01Description

A privilege escalation (PE) vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated PAN-OS administrator with restricted privileges to use a compromised XML API key to perform actions as a higher privileged PAN-OS administrator. For example, an administrator with "Virtual system administrator (read-only)" access could use an XML API key of a "Virtual system administrator" to perform write operations on the virtual system configuration even though they should be limited to read-only operations.

Key dates

02Disclosure timeline

October 9, 2024 CVE published

October 18, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-9471

Related vulnerabilities

Identifiers

CVE CVE-2024-9471

CWE CWE-269

CVSS 5.1 / MEDIUM

Affected versions

Vendor Palo Alto Networks

Product PAN-OS

Affected ≥ 11.0.0 and < 11.0.3

Vendor Palo Alto Networks

Product PAN-OS

Affected ≥ 10.1.0 and < 10.1.11

Vendor Palo Alto Networks

Product PAN-OS

Affected ≥ 10.2.0 and < 10.2.8

Vendor Palo Alto Networks

Product PAN-OS

Affected 9.1

Vendor Palo Alto Networks

Product PAN-OS

Affected 9.0

CVE-2024-9471: PAN-OS: Privilege Escalation (PE) Vulnerability in XML API

01Description

02Disclosure timeline

03References

04Related CVE