CVE-2024-0008 - Vulnerability Details - OpenCVE

Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Paloaltonetworks	Pan-os

Configuration 1 [-]

OR	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os::::::::

Configuration 2 [-]

OR	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:-::::::

Configuration 3 [-]

OR	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os:10.0.12:-::::::

Configuration 4 [-]

cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*

Configuration 5 [-]

OR	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os:9.0.17:-::::::
	cpe:2.3:o:paloaltonetworks:pan-os:9.0.17:h1::::::

No data.

References

Link	Providers
https://security.paloaltonetworks.com/CVE-2024-0008

History

Mon, 09 Dec 2024 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Paloaltonetworks Paloaltonetworks pan-os
CPEs		cpe:2.3:o:paloaltonetworks:pan-os:::::::: cpe:2.3:o:paloaltonetworks:pan-os:10.0.12:-:::::: cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:-:::::: cpe:2.3:o:paloaltonetworks:pan-os:9.0.17:-:::::: cpe:2.3:o:paloaltonetworks:pan-os:9.0.17:h1::::::
Vendors & Products		Paloaltonetworks Paloaltonetworks pan-os

MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2024-02-14T17:32:17.611Z

Updated: 2024-08-01T17:41:15.529Z

Reserved: 2023-11-09T18:56:05.666Z

Link: CVE-2024-0008

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-02-14T18:15:47.310

Modified: 2024-12-09T15:18:26.907

Link: CVE-2024-0008

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0008", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "state": "PUBLISHED", "assignerShortName": "palo_alto", "dateReserved": "2023-11-09T18:56:05.666Z", "datePublished": "2024-02-14T17:32:17.611Z", "dateUpdated": "2024-08-01T17:41:15.529Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PAN-OS", "vendor": "Palo Alto Networks", "versions": [{"changes": [{"at": "9.0.17-h2", "status": "unaffected"}], "lessThan": "9.0.17-h2", "status": "affected", "version": "9.0", "versionType": "custom"}, {"changes": [{"at": "9.0.18", "status": "unaffected"}], "lessThan": "9.0.18", "status": "affected", "version": "9.0", "versionType": "custom"}, {"changes": [{"at": "9.1.17", "status": "unaffected"}], "lessThan": "9.1.17", "status": "affected", "version": "9.1", "versionType": "custom"}, {"changes": [{"at": "10.0.12-h1", "status": "unaffected"}], "lessThan": "10.0.12-h1", "status": "affected", "version": "10.0", "versionType": "custom"}, {"changes": [{"at": "10.0.13", "status": "unaffected"}], "lessThan": "10.0.13", "status": "affected", "version": "10.0", "versionType": "custom"}, {"changes": [{"at": "10.1.10-h1", "status": "unaffected"}], "lessThan": "10.1.10-h1", "status": "affected", "version": "10.1", "versionType": "custom"}, {"changes": [{"at": "10.1.11", "status": "unaffected"}], "lessThan": "10.1.11", "status": "affected", "version": "10.1", "versionType": "custom"}, {"changes": [{"at": "10.2.5", "status": "unaffected"}], "lessThan": "10.2.5", "status": "affected", "version": "10.2", "versionType": "custom"}, {"changes": [{"at": "11.0.2", "status": "unaffected"}], "lessThan": "11.0.2", "status": "affected", "version": "11.0", "versionType": "custom"}, {"lessThan": "All", "status": "unaffected", "version": "11.1", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Prisma Access", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "All"}]}, {"defaultStatus": "unaffected", "product": "Cloud NGFW", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "All"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Palo Alto Networks thanks Brian Yaklin for discovering and reporting this issue."}], "datePublic": "2024-02-14T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access."}], "value": "Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.<br>"}], "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2024-02-14T17:32:17.611Z"}, "references": [{"url": "https://security.paloaltonetworks.com/CVE-2024-0008"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This issue is fixed in PAN-OS 9.0.17-h2, PAN-OS 9.1.17, PAN-OS 10.0.12-h1, PAN-OS 10.1.10-h1, PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions."}], "value": "This issue is fixed in PAN-OS 9.0.17-h2, PAN-OS 9.1.17, PAN-OS 10.0.12-h1, PAN-OS 10.1.10-h1, PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions."}], "source": {"defect": ["PAN-211664"], "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2024-02-14T17:00:00.000Z", "value": "Initial publication"}], "title": "PAN-OS: Insufficient Session Expiration Vulnerability in the Web Interface", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Ensure that inactivity-based screen locks are enforced on endpoints with access to the PAN-OS web interface."}], "value": "Ensure that inactivity-based screen locks are enforced on endpoints with access to the PAN-OS web interface."}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T17:41:15.529Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.paloaltonetworks.com/CVE-2024-0008", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "831B815F-436B-40D2-AFBA-9BE7275C2BEB", "versionEndExcluding": "10.2.5", "versionStartIncluding": "10.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A69845B-51CA-4612-BCBA-96EF92F01D2F", "versionEndExcluding": "11.0.2", "versionStartIncluding": "11.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F25D99D-0E7C-469B-977E-FCBD0AB2373E", "versionEndExcluding": "10.1.10", "versionStartIncluding": "10.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:-:*:*:*:*:*:*", "matchCriteriaId": "4F0DB7CB-C200-48C4-9E28-E378AA9A3FA2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "71F1F86A-8158-4BE8-B509-5F50421DA829", "versionEndExcluding": "10.0.12", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:10.0.12:-:*:*:*:*:*:*", "matchCriteriaId": "E280D93F-B51F-4F59-9CCE-829C1F9F1A78", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F9FFBA6-7008-422B-9CF1-E37CA62081EB", "versionEndExcluding": "9.1.17", "versionStartIncluding": "9.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "89A55C5F-8E01-42C4-BE93-D683900C07BE", "versionEndExcluding": "9.0.17", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:9.0.17:-:*:*:*:*:*:*", "matchCriteriaId": "CDAE9753-EF8D-4B15-A73C-0EF56FE6C78C", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:9.0.17:h1:*:*:*:*:*:*", "matchCriteriaId": "2A142EE1-E516-4582-9A7E-6E4C74FB3991", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access."}, {"lang": "es", "value": "Las sesiones web en la interfaz de administraci\u00f3n del software PAN-OS de Palo Alto Networks no caducan en determinadas situaciones, lo que las hace susceptibles a accesos no autorizados."}], "id": "CVE-2024-0008", "lastModified": "2024-12-09T15:18:26.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-14T18:15:47.310", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2024-0008"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2024-0008"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-613"}], "source": "nvd@nist.gov", "type": "Primary"}]}