Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-6794: CVE-2023-6794 PAN-OS: File Upload Vulnerability in the Web Interface

An arbitrary file upload vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

CVE
Open in Source
#vulnerability#web#js#auth

Palo Alto Networks Security Advisories / CVE-2023-6794

Urgency REDUCED

Response Effort LOW

Recovery AUTOMATIC

Value Density DIFFUSE

Attack Vector NETWORK

Attack Complexity LOW

Attack Requirements PRESENT

Automatable NO

User Interaction NONE

Product Confidentiality HIGH

Product Integrity LOW

Product Availability NONE

Privileges Required HIGH

Subsequent Confidentiality NONE

Subsequent Integrity NONE

Subsequent Availability NONE

NVD JSON

Published 2023-12-13

Updated 2023-12-13

Reference PAN-139152 and PAN-131835

Discovered internally

Description

An arbitrary file upload vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

Product Status

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

None

All

PAN-OS 10.2

None

All

PAN-OS 10.1

None

All

PAN-OS 9.1

< 9.1.14

>= 9.1.14

PAN-OS 9.0

< 9.0.17-h1

>= 9.0.17-h1

PAN-OS 8.1

< 8.1.26

>= 8.1.26

Prisma Access

None

All

Severity: MEDIUM

CVSSv4.0 Base Score: 5.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Green)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-434 Unrestricted Upload of File with Dangerous Type

Solution

This issue is fixed in PAN-OS 8.1.26, PAN-OS 9.0.17-h1, PAN-OS 9.1.14, and all later PAN-OS versions.

Workarounds and Mitigations

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

Acknowledgments

This issue was found by Palo Alto Networks during an internal security review.

Timeline

2023-12-13 Initial publication

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE