CVE-2020-2039 - Vulnerability Details - OpenCVE

An uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS allows for a remote unauthenticated user to upload temporary files through the management web interface that are not properly deleted after the request is finished. It is possible for an attacker to disrupt the availability of the management web interface by repeatedly uploading files until available disk space is exhausted. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Paloaltonetworks	Pan-os

Configuration 1 [-]

OR	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os::::::::

No data.

References

Link	Providers
https://security.paloaltonetworks.com/CVE-2020-2039

History

No history.

MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2020-09-09T16:45:27.091779Z

Updated: 2024-09-16T17:54:09.808Z

Reserved: 2019-12-04T00:00:00

Link: CVE-2020-2039

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-09-09T17:15:25.823

Modified: 2024-11-21T05:24:31.500

Link: CVE-2020-2039

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "PAN-OS", "vendor": "Palo Alto Networks", "versions": [{"changes": [{"at": "9.1.4", "status": "unaffected"}], "lessThan": "9.1.4", "status": "affected", "version": "9.1", "versionType": "custom"}, {"changes": [{"at": "8.1.16", "status": "unaffected"}], "lessThan": "8.1.16", "status": "affected", "version": "8.1", "versionType": "custom"}, {"changes": [{"at": "9.0.10", "status": "unaffected"}], "lessThan": "9.0.10", "status": "affected", "version": "9.0", "versionType": "custom"}, {"changes": [{"at": "10.0.1", "status": "unaffected"}], "lessThan": "10.0.1", "status": "affected", "version": "10.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Palo Alto Networks thanks Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for discovering and reporting this issue."}], "datePublic": "2020-09-09T00:00:00", "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS allows for a remote unauthenticated user to upload temporary files through the management web interface that are not properly deleted after the request is finished. It is possible for an attacker to disrupt the availability of the management web interface by repeatedly uploading files until available disk space is exhausted. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1."}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-09T16:45:27", "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.paloaltonetworks.com/CVE-2020-2039"}], "solutions": [{"lang": "en", "value": "This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.4, PAN-OS 10.0.1, and all later PAN-OS versions."}], "source": {"defect": ["PAN-148806"], "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2020-09-09T00:00:00", "value": "Initial publication"}], "title": "PAN-OS: Management web interface denial-of-service (DoS) through unauthenticated file upload", "workarounds": [{"lang": "en", "value": "This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@paloaltonetworks.com", "DATE_PUBLIC": "2020-09-09T16:00:00.000Z", "ID": "CVE-2020-2039", "STATE": "PUBLIC", "TITLE": "PAN-OS: Management web interface denial-of-service (DoS) through unauthenticated file upload"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PAN-OS", "version": {"version_data": [{"version_affected": "<", "version_name": "9.1", "version_value": "9.1.4"}, {"version_affected": "<", "version_name": "8.1", "version_value": "8.1.16"}, {"version_affected": "<", "version_name": "9.0", "version_value": "9.0.10"}, {"version_affected": "<", "version_name": "10.0", "version_value": "10.0.1"}, {"version_affected": "!>=", "version_name": "9.1", "version_value": "9.1.4"}, {"version_affected": "!>=", "version_name": "8.1", "version_value": "8.1.16"}, {"version_affected": "!>=", "version_name": "9.0", "version_value": "9.0.10"}, {"version_affected": "!>=", "version_name": "10.0", "version_value": "10.0.1"}]}}]}, "vendor_name": "Palo Alto Networks"}]}}, "credit": [{"lang": "eng", "value": "Palo Alto Networks thanks Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for discovering and reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS allows for a remote unauthenticated user to upload temporary files through the management web interface that are not properly deleted after the request is finished. It is possible for an attacker to disrupt the availability of the management web interface by repeatedly uploading files until available disk space is exhausted. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1."}]}, "exploit": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."}], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://security.paloaltonetworks.com/CVE-2020-2039", "refsource": "MISC", "url": "https://security.paloaltonetworks.com/CVE-2020-2039"}]}, "solution": [{"lang": "en", "value": "This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.4, PAN-OS 10.0.1, and all later PAN-OS versions."}], "source": {"defect": ["PAN-148806"], "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2020-09-09T00:00:00", "value": "Initial publication"}], "work_around": [{"lang": "en", "value": "This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T06:54:00.704Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.paloaltonetworks.com/CVE-2020-2039"}]}]}, "cveMetadata": {"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "assignerShortName": "palo_alto", "cveId": "CVE-2020-2039", "datePublished": "2020-09-09T16:45:27.091779Z", "dateReserved": "2019-12-04T00:00:00", "dateUpdated": "2024-09-16T17:54:09.808Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E961A6F-DC8D-46DE-9279-95FCA3B460C1", "versionEndExcluding": "8.1.16", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "B274DF14-BD36-46DF-91EF-0293CC082B41", "versionEndExcluding": "9.0.10", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "F307ABF3-27DB-4C76-A488-60E1F6A6D17F", "versionEndExcluding": "9.1.4", "versionStartIncluding": "9.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "09926771-7377-487B-B660-809265E7D8A2", "versionEndExcluding": "10.0.1", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS allows for a remote unauthenticated user to upload temporary files through the management web interface that are not properly deleted after the request is finished. It is possible for an attacker to disrupt the availability of the management web interface by repeatedly uploading files until available disk space is exhausted. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1."}, {"lang": "es", "value": "Una vulnerabilidad de consumo de recursos no controlado en Palo Alto Networks PAN-OS permite a un usuario remoto no autenticado cargar archivos temporales por medio de la interfaz web de administraci\u00f3n que no son eliminados apropiadamente una vez finalizada la petici\u00f3n. Es posible que un atacante interrumpa la disponibilidad de la interfaz web de administraci\u00f3n cargando archivos de forma repetida hasta que se agote el espacio disponible en disco. Este problema impacta a: Versiones PAN-OS 8.1 anteriores a PAN-OS 8.1.16; Versiones PAN-OS 9.0 anteriores a PAN-OS 9.0.10; Versiones PAN-OS 9.1 anteriores a PAN-OS 9.1.4; Versiones PAN-OS 10.0 anteriores a PAN-OS 10.0.1."}], "id": "CVE-2020-2039", "lastModified": "2024-11-21T05:24:31.500", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-09T17:15:25.823", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2020-2039"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2020-2039"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}