Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2024-3386
PUBLISHED
More InfoOfficial Page
Assigner-palo_alto
Assigner Org ID-d6c1279f-00f6-4ef7-9217-f89ffe703ec0
View Known Exploited Vulnerability (KEV) details
Published At-10 Apr, 2024 | 17:06
Updated At-13 May, 2026 | 20:15
Rejected At-
▼CVE Numbering Authority (CNA)
PAN-OS: Predefined Decryption Exclusions Does Not Work as Intended

An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption.

Affected Products
Vendor
Palo Alto Networks, Inc.Palo Alto Networks
Product
PAN-OS
Default Status
unaffected
Versions
Affected
  • From 9.0.0 before 9.0.17-h2 (custom)
    • -> unaffectedfrom9.0.17-h2
  • From 9.1.0 before 9.1.17 (custom)
    • -> unaffectedfrom9.1.17
  • From 10.0.0 before 10.0.13 (custom)
    • -> unaffectedfrom10.0.13
  • From 10.1.0 before 10.1.9-h3 (custom)
    • -> unaffectedfrom10.1.9-h3
  • From 10.1.0 before 10.1.10 (custom)
    • -> unaffectedfrom10.1.10
  • From 10.2.0 before 10.2.4-h2 (custom)
    • -> unaffectedfrom10.2.4-h2
  • From 10.2.0 before 10.2.5 (custom)
    • -> unaffectedfrom10.2.5
  • From 11.0.0 before 11.0.1-h2 (custom)
    • -> unaffectedfrom11.0.1-h2
  • From 11.0.0 before 11.0.2 (custom)
    • -> unaffectedfrom11.0.2
Unaffected
  • 11.1.0
Vendor
Palo Alto Networks, Inc.Palo Alto Networks
Product
Cloud NGFW
Default Status
unaffected
Versions
Unaffected
  • All
Vendor
Palo Alto Networks, Inc.Palo Alto Networks
Product
Prisma Access
Default Status
unaffected
Versions
Unaffected
  • All
Problem Types
TypeCWE IDDescription
CWECWE-436CWE-436 Interpretation Conflict
Type: CWE
CWE ID: CWE-436
Description: CWE-436 Interpretation Conflict
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-148CAPEC-148 Content Spoofing
CAPEC ID: CAPEC-148
Description: CAPEC-148 Content Spoofing
Solutions

This issue is fixed in 9.0.17-h2, 9.0.18, 9.1.17, 10.0.13, 10.1.9-h3, 10.1.10, 10.2.4-h2, 10.2.5, 11.0.1-h2, 11.0.2, 11.1.0 and all later PAN-OS versions.

Configurations

You must configure Predefined Decryption Exclusions on your PAN-OS firewalls. You should check to see whether you have any configured exclusions in your firewall web interface (Device > Certificate Management > SSL Decryption Exclusions).

Workarounds
Exploits

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Credits
finder
Palo Alto Networks thanks Frederic De Vlieger for discovering and reporting this issue.
Timeline
EventDate
Initial publication2024-04-10 16:00:00
Event: Initial publication
Date: 2024-04-10 16:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.paloaltonetworks.com/CVE-2024-3386
N/A
Hyperlink: https://security.paloaltonetworks.com/CVE-2024-3386
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.paloaltonetworks.com/CVE-2024-3386
x_transferred
Hyperlink: https://security.paloaltonetworks.com/CVE-2024-3386
Resource:
x_transferred
Details not found