Lucene search

[email protected]CVE-2021-3033

HistoryFeb 10, 2021 - 6:15 p.m.

CVE-2021-3033

2021-02-1018:15:13

CWE-347

[email protected]

web.nvd.nist.gov

cve-2021-3033

vulnerability

palo alto networks

prisma cloud compute

saml authentication

signature validation

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.1%

JSON

An improper verification of cryptographic signature vulnerability exists in the Palo Alto Networks Prisma Cloud Compute console. This vulnerability enables an attacker to bypass signature validation during SAML authentication by logging in to the Prisma Cloud Compute console as any authorized user. This issue impacts: All versions of Prisma Cloud Compute 19.11, Prisma Cloud Compute 20.04, and Prisma Cloud Compute 20.09; Prisma Cloud Compute 20.12 before update 1. Prisma Cloud Compute SaaS version is not impacted by this vulnerability.

Affected configurations

NVD

Node

paloaltonetworksprisma_cloudMatch19.11-compute

paloaltonetworksprisma_cloudMatch19.11update_1compute

paloaltonetworksprisma_cloudMatch19.11update_2compute

paloaltonetworksprisma_cloudMatch20.04-compute

paloaltonetworksprisma_cloudMatch20.04update_1compute

paloaltonetworksprisma_cloudMatch20.04update_2compute

paloaltonetworksprisma_cloudMatch20.09-compute

paloaltonetworksprisma_cloudMatch20.09update_1compute

paloaltonetworksprisma_cloudMatch20.09update_2compute

paloaltonetworksprisma_cloudMatch20.12-compute

CPENameOperatorVersion
paloaltonetworks:prisma_cloudpaloaltonetworks prisma cloudeq19.11
paloaltonetworks:prisma_cloudpaloaltonetworks prisma cloudeq20.04
paloaltonetworks:prisma_cloudpaloaltonetworks prisma cloudeq20.09
paloaltonetworks:prisma_cloudpaloaltonetworks prisma cloudeq20.12

CPE	Name	Operator	Version
paloaltonetworks:prisma_cloud	paloaltonetworks prisma cloud	eq	19.11
paloaltonetworks:prisma_cloud	paloaltonetworks prisma cloud	eq	20.04
paloaltonetworks:prisma_cloud	paloaltonetworks prisma cloud	eq	20.09
paloaltonetworks:prisma_cloud	paloaltonetworks prisma cloud	eq	20.12

CNA Affected

[
  {
    "product": "Prisma Cloud Compute",
    "vendor": "Palo Alto Networks",
    "versions": [
      {
        "lessThanOrEqual": "update 2",
        "status": "affected",
        "version": "19.11",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "update 2",
        "status": "affected",
        "version": "20.04",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "update 2",
        "status": "affected",
        "version": "20.09",
        "versionType": "custom"
      },
      {
        "changes": [
          {
            "at": "update 1",
            "status": "unaffected"
          }
        ],
        "lessThan": "update 1",
        "status": "affected",
        "version": "20.12",
        "versionType": "custom"
      }
    ]
  }
]

References

security.paloaltonetworks.com/CVE-2021-3033

Social References

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.1%

JSON

Related for CVE-2021-3033

nvd1 paloalto1 cvelist1 prion1