ByteOS

Product

PAN-OS

Default Status

unaffected

Versions

Affected

From 11.0.0 before 11.0.1 (custom)
- -> unaffectedfrom11.0.1
From 10.2.0 before 10.2.4 (custom)
- -> unaffectedfrom10.2.4
From 10.1.0 before 10.1.9 (custom)
- -> unaffectedfrom10.1.9
From 10.0.0 before 10.0.12 (custom)
- -> unaffectedfrom10.0.12
From 9.1.0 before 9.1.16 (custom)
- -> unaffectedfrom9.1.16
From 9.0.0 before 9.0.17 (custom)
- -> unaffectedfrom9.0.17
From 8.1.0 before 8.1.25 (custom)
- -> unaffectedfrom8.1.25

Unaffected

11.1.0
11.2.0

Vendor

Product

GlobalProtect App

Default Status

unaffected

Versions

Affected

From 5.1.0 before 5.1.12 (custom)
- -> unaffectedfrom5.1.12
From 5.2.0 before 5.2.13 (custom)
- -> unaffectedfrom5.2.13
From 6.0.0 before 6.0.7 (custom)
- -> unaffectedfrom6.0.7
From 6.1.0 before 6.1.2 (custom)
- -> unaffectedfrom6.1.2
From 6.2.0 before 6.2.1 (custom)
- -> unaffectedfrom6.2.1

Unaffected

6.3.0

Vendor

Product

Cloud NGFW

Default Status

unaffected

Versions

Unaffected

Vendor

Product

Prisma Access

Default Status

unaffected

Versions

Affected

From 10.2.0 before 10.2.9 on PAN-OS (custom)
- -> unaffectedfrom10.2.9 on PAN-OS

Problem Types

Type	CWE ID	Description
CWE	CWE-497	CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

Type: CWE

CWE ID: CWE-497

Description: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

Metrics

Version	Base score	Base severity	Vector
4.0	6.9	MEDIUM	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber

Version: 4.0

Base score: 6.9

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber

Impacts

CAPEC ID	Description
CAPEC-383	CAPEC-383 Harvesting Information via API Event Monitoring

CAPEC ID: CAPEC-383

Description: CAPEC-383 Harvesting Information via API Event Monitoring

Solutions

This issue is fixed in PAN-OS 8.1.25, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions. It is also fixed in Prisma Access 10.2.9 and all later Prisma Access versions. To maintain GlobalProtect app functionality for the vulnerable features, we released a corresponding software update for GlobalProtect app 5.1.12, GlobalProtect app 5.2.13, GlobalProtect app 6.0.7, GlobalProtect app 6.1.2, and GlobalProtect app 6.2.1, and all later GlobalProtect app versions. To maintain the ability for end users to use the uninstall password feature and the disable or disconnect passcode feature, you must ensure that you upgrade all GlobalProtect app deployments to a fixed version before you upgrade your PAN-OS software to a fixed version. All fixed versions of GlobalProtect are backwards compatible with vulnerable versions of PAN-OS software. However, fixed versions of PAN-OS software are not backwards compatible with vulnerable versions of GlobalProtect. You can find additional information for PAN-204689 here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-0-known-and-addressed-issues/pan-os-11-1-0-known-issues Prisma Access customers can open a support case to request an upgrade.

Configurations

Impacted systems are those on which any of the following features are enabled: * Network > GlobalProtect > Portals > > Agent > > App > Allow User to Disable GlobalProtect App > Allow with Passcode * Network > GlobalProtect > Portals > > Agent > > App > Allow user to disconnect GlobalProtect App > Allow with Passcode * Network > GlobalProtect > Portals > > Agent > > App > Allow User to Uninstall GlobalProtect App > Allow with Password

Workarounds

Change the following two settings (if enabled) to "Allow with Ticket": * Network > GlobalProtect > Portals > > Agent > > App > Allow User to Disable GlobalProtect App * Network > GlobalProtect > Portals > > Agent > > App > Allow user to disconnect GlobalProtect App Change the following setting (if enabled) to "Disallow": * Network > GlobalProtect > Portals > > Agent > > App > Allow User to Uninstall GlobalProtect App

Exploits

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Credits

finder

Claudiu Pancotan

Timeline

Event	Date
Initial publication	2024-09-11 16:00:00

Event: Initial publication

Date: 2024-09-11 16:00:00

References

Hyperlink	Resource
https://security.paloaltonetworks.com/CVE-2024-8687	N/A

Hyperlink: https://security.paloaltonetworks.com/CVE-2024-8687

Resource: N/A

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:psirt@paloaltonetworks.com

Published At:11 Sep, 2024 | 17:15

Updated At:03 Oct, 2024 | 00:26

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	6.9	MEDIUM	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber
Primary	3.1	7.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Secondary	4.0	6.9	MEDIUM	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber
Primary	3.1	7.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Type: Secondary

Version: 4.0

Base score: 6.9

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber

Type: Primary

Version: 3.1

Base score: 7.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Type: Secondary

Version: 4.0

Base score: 6.9

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber

Type: Primary

Version: 3.1

Base score: 7.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

CPE Matches

>>pan-os>>Versions from 8.1.0(inclusive) to 8.1.25(exclusive)

>>pan-os>>Versions from 9.0.0(inclusive) to 9.0.17(exclusive)

>>pan-os>>Versions from 9.1.0(inclusive) to 9.1.16(exclusive)

>>pan-os>>Versions from 10.0.0(inclusive) to 10.0.12(exclusive)

>>pan-os>>Versions from 10.1.0(inclusive) to 10.1.9(exclusive)

>>pan-os>>Versions from 10.2.0(inclusive) to 10.2.4(exclusive)

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*

>>pan-os>>11.0.0

cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:*:*:*

>>globalprotect>>Versions from 5.1.0(inclusive) to 5.1.12(exclusive)

cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:*:*:*

>>globalprotect>>Versions from 5.2.0(inclusive) to 5.2.13(exclusive)

cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:*:*:*

>>globalprotect>>Versions from 6.0.0(inclusive) to 6.0.7(exclusive)

cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:*:*:*

>>globalprotect>>Versions from 6.1.0(inclusive) to 6.1.2(exclusive)

cpe:2.3:a:paloaltonetworks:globalprotect:6.2.0:*:*:*:*:*:*:*

>>globalprotect>>6.2.0

cpe:2.3:a:paloaltonetworks:prisma_access:-:*:*:*:*:*:*:*

>>prisma_access>>-

>>pan-os>>Versions before 10.2.9(exclusive)

Weaknesses

CWE ID	Type	Source
NVD-CWE-noinfo	Primary	nvd@nist.gov
CWE-497	Secondary	psirt@paloaltonetworks.com

CWE ID: NVD-CWE-noinfo

Type: Primary

Source: nvd@nist.gov

CWE ID: CWE-497

Type: Secondary

Source: psirt@paloaltonetworks.com

References

Hyperlink	Source	Resource
https://security.paloaltonetworks.com/CVE-2024-8687	psirt@paloaltonetworks.com	Vendor Advisory

Hyperlink: https://security.paloaltonetworks.com/CVE-2024-8687

Source: psirt@paloaltonetworks.com

Resource:

Vendor Advisory

Similar CVEs

3Records found

CVE-2023-0005

Matching Score-6

View Details

Matching Score-6

CVSS Score-4.1||MEDIUM

EPSS-0.06% / 17.32%

7 Day CHG~0.00%

Published-12 Apr, 2023 | 16:41

Updated-10 Feb, 2025 | 21:56

PAN-OS: Exposure of Sensitive Information Vulnerability

A vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to expose the plaintext values of secrets stored in the device configuration and encrypted API keys.

Vendor-Palo Alto Networks, Inc.

Product-pan-os PAN-OS Prisma Access Cloud NGFW

CWE ID-CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

CWE ID-CWE-312

Cleartext Storage of Sensitive Information

CVE-2025-4229

Matching Score-6

View Details

Matching Score-6

CVSS Score-6||MEDIUM

EPSS-0.06% / 19.74%

7 Day CHG~0.00%

Published-13 Jun, 2025 | 05:42

Updated-16 Jun, 2025 | 12:32

PAN-OS: Traffic Information Disclosure Vulnerability

An information disclosure vulnerability in the SD-WAN feature of Palo Alto Networks PAN-OS® software enables an unauthorized user to view unencrypted data sent from the firewall through the SD-WAN interface. This requires the user to be able to intercept packets sent from the firewall. Cloud NGFW and Prisma® Access are not affected by this vulnerability.

Vendor-Palo Alto Networks, Inc.

Product-Prisma Access Cloud NGFW PAN-OS

CWE ID-CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

CVE-2024-9470

Matching Score-6

View Details

Matching Score-6