Description
An improper certificate validation vulnerability in Palo Alto Networks PAN-OS software enables an authorized user with a specially crafted client certificate to connect to an impacted GlobalProtect portal or GlobalProtect gateway as a different legitimate user. This attack is possible only if you "Allow Authentication with User Credentials OR Client Certificate."
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
Low
Integrity (Subsequent System)
Low
Availability (Subsequent System)
Low
AU
None
R
Adjacent
V
Changed
RE
M
U
Amber
Affected products
- Palo Alto Networks / Cloud NGFWAll – All
- Palo Alto Networks / Prisma AccessAll – All
- paloaltonetworks / pan-os11.0.2 – 11.0.2
- paloaltonetworks / pan-os11.0.2 – 11.0.2
- paloaltonetworks / pan-os11.0.2 – 11.0.2
- paloaltonetworks / pan-os11.0.2 – 11.0.2
- paloaltonetworks / pan-os11.0.1 – 11.0.1
- paloaltonetworks / pan-os11.0.1 – 11.0.1
- paloaltonetworks / pan-os11.0.1 – 11.0.1
- paloaltonetworks / pan-os11.0.1 – 11.0.1
- paloaltonetworks / pan-os11.0.1 – 11.0.1
- paloaltonetworks / pan-os11.0.0 – 11.0.0
- paloaltonetworks / pan-os11.0.0 – 11.0.0
- paloaltonetworks / pan-os11.0.0 – 11.0.0
- paloaltonetworks / pan-os11.0.0 – 11.0.0
- paloaltonetworks / pan-os11.0 – 11.0
- paloaltonetworks / pan-os10.2.4 – 10.2.4
- paloaltonetworks / pan-os10.2.4 – 10.2.4
- paloaltonetworks / pan-os10.2.4 – 10.2.4
- paloaltonetworks / pan-os10.2.4 – 10.2.4
- paloaltonetworks / pan-os10.2.4 – 10.2.4
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.3 – 10.2.3
- paloaltonetworks / pan-os10.2.2 – 10.2.2
- paloaltonetworks / pan-os10.2.2 – 10.2.2
- paloaltonetworks / pan-os10.2.2 – 10.2.2
- paloaltonetworks / pan-os10.2.2 – 10.2.2
- paloaltonetworks / pan-os10.2.2 – 10.2.2
- paloaltonetworks / pan-os10.2.2 – 10.2.2
- paloaltonetworks / pan-os10.2.1 – 10.2.1
- paloaltonetworks / pan-os10.2.1 – 10.2.1
- paloaltonetworks / pan-os10.2.1 – 10.2.1
- paloaltonetworks / pan-os10.2.0 – 10.2.0
- paloaltonetworks / pan-os10.2.0 – 10.2.0
- paloaltonetworks / pan-os10.2.0 – 10.2.0
- paloaltonetworks / pan-os10.2.0 – 10.2.0
- paloaltonetworks / pan-os10.2 – 10.2
- paloaltonetworks / pan-os10.1.10 – 10.1.10
- paloaltonetworks / pan-os10.1.10 – 10.1.10
- paloaltonetworks / pan-os10.1.10 – 10.1.10
- paloaltonetworks / pan-os10.1.10 – 10.1.10
- paloaltonetworks / pan-os10.1.10 – 10.1.10
- paloaltonetworks / pan-os10.1.10 – 10.1.10
- paloaltonetworks / pan-os10.1.9 – 10.1.9
- paloaltonetworks / pan-os10.1.9 – 10.1.9
- paloaltonetworks / pan-os10.1.9 – 10.1.9
- paloaltonetworks / pan-os10.1.9 – 10.1.9
- paloaltonetworks / pan-os10.1.9 – 10.1.9
- paloaltonetworks / pan-os10.1.9 – 10.1.9
- paloaltonetworks / pan-os10.1.9 – 10.1.9
- paloaltonetworks / pan-os10.1.9 – 10.1.9
- paloaltonetworks / pan-os10.1.9 – 10.1.9
- paloaltonetworks / pan-os10.1.8 – 10.1.8
- paloaltonetworks / pan-os10.1.8 – 10.1.8
- paloaltonetworks / pan-os10.1.8 – 10.1.8
- paloaltonetworks / pan-os10.1.8 – 10.1.8
- paloaltonetworks / pan-os10.1.8 – 10.1.8
- paloaltonetworks / pan-os10.1.8 – 10.1.8
- paloaltonetworks / pan-os10.1.8 – 10.1.8
- paloaltonetworks / pan-os10.1.8 – 10.1.8
- paloaltonetworks / pan-os10.1.7 – 10.1.7
- paloaltonetworks / pan-os10.1.7 – 10.1.7
- paloaltonetworks / pan-os10.1.6 – 10.1.6
- paloaltonetworks / pan-os10.1.6 – 10.1.6
- paloaltonetworks / pan-os10.1.6 – 10.1.6
- paloaltonetworks / pan-os10.1.6 – 10.1.6
- paloaltonetworks / pan-os10.1.6 – 10.1.6
- paloaltonetworks / pan-os10.1.6 – 10.1.6
- paloaltonetworks / pan-os10.1.6 – 10.1.6
- paloaltonetworks / pan-os10.1.6 – 10.1.6
- paloaltonetworks / pan-os10.1.6 – 10.1.6
- paloaltonetworks / pan-os10.1.5 – 10.1.5
- paloaltonetworks / pan-os10.1.5 – 10.1.5
- paloaltonetworks / pan-os10.1.5 – 10.1.5
- paloaltonetworks / pan-os10.1.5 – 10.1.5
- paloaltonetworks / pan-os10.1.5 – 10.1.5
- paloaltonetworks / pan-os10.1.4 – 10.1.4
- paloaltonetworks / pan-os10.1.4 – 10.1.4
- paloaltonetworks / pan-os10.1.4 – 10.1.4
- paloaltonetworks / pan-os10.1.4 – 10.1.4
- paloaltonetworks / pan-os10.1.4 – 10.1.4
- paloaltonetworks / pan-os10.1.4 – 10.1.4
- paloaltonetworks / pan-os10.1.3 – 10.1.3
- paloaltonetworks / pan-os10.1.3 – 10.1.3
- paloaltonetworks / pan-os10.1.3 – 10.1.3
- paloaltonetworks / pan-os10.1.3 – 10.1.3
- paloaltonetworks / pan-os10.1.2 – 10.1.2
- paloaltonetworks / pan-os10.1.1 – 10.1.1
- paloaltonetworks / pan-os10.1.0 – 10.1.0
- paloaltonetworks / pan-os10.1 – 10.1
- paloaltonetworks / pan-os10.1.4 – 10.1.4
- paloaltonetworks / pan-os11.0.2 – 11.0.2