CVE-2021-3060

EPSS 41.02%
Veröffentlicht 10.11.2021 17:15:10
Zuletzt bearbeitet 21.11.2024 06:20:52
Quelle psirt@paloaltonetworks.com
Teams Watchlist Login
Unerledigt Login

An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Paloaltonetworks ≫ Prisma Access Version2.1 SwEditioninnovation

Paloaltonetworks ≫ Prisma Access Version2.1 SwEditionpreferred

Paloaltonetworks ≫ Pan-os Version >= 8.1.0 <= 8.1.20

Paloaltonetworks ≫ Pan-os Version >= 9.0.0 <= 9.0.14

Paloaltonetworks ≫ Pan-os Version >= 9.1.0 <= 9.1.11

Paloaltonetworks ≫ Pan-os Version >= 10.0.0 < 10.0.8

Paloaltonetworks ≫ Pan-os Version >= 10.1.0 < 10.1.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	41.02%	0.973

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C
psirt@paloaltonetworks.com	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html

Vendor Advisory

https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html

Vendor Advisory

https://security.paloaltonetworks.com/CVE-2021-3060

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-3060

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-3060

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-3060

EUVD