Headline
CVE-2023-0005: CVE-2023-0005 PAN-OS: Exposure of Sensitive Information Vulnerability
A vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to expose the plaintext values of secrets stored in the device configuration and encrypted API keys.
Palo Alto Networks Security Advisories / CVE-2023-0005
Attack Vector LOCAL
Scope UNCHANGED
Attack Complexity HIGH
Confidentiality Impact HIGH
Privileges Required HIGH
Integrity Impact NONE
User Interaction NONE
Availability Impact NONE
NVD JSON
Published 2023-04-12
Updated 2023-04-12
Reference PAN-198986
Discovered externally
Description
A vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to expose the plaintext values of secrets stored in the device configuration and encrypted API keys.
Product Status
Versions
Affected
Unaffected
Cloud NGFW
None
All
PAN-OS 11.0
None
All
PAN-OS 10.2
< 10.2.3
>= 10.2.3
PAN-OS 10.1
< 10.1.8
>= 10.1.8
PAN-OS 10.0
< 10.0.12
>= 10.0.12
PAN-OS 9.1
< 9.1.15
>= 9.1.15
PAN-OS 9.0
< 9.0.17
>= 9.0.17
PAN-OS 8.1
< 8.1.24
>= 8.1.24
Prisma Access
None
All
Severity:MEDIUM
CVSSv3.1 Base Score:4.1 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue. However, a proof of concept script for this issue is publicly available.
Weakness Type
CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
Solution
This issue is fixed in PAN-OS 8.1.24, PAN-OS 9.0.17, PAN-OS 9.1.15, PAN-OS 10.0.12, PAN-OS 10.1.8, PAN-OS 10.2.3, and all later PAN-OS versions.
Acknowledgments
Palo Alto Networks thanks the security researcher rqu for discovering and reporting this issue.
Timeline
2023-04-12 Initial publication