CVE Vulnerabilities

CVE-2020-1993

Session Fixation

Published: May 13, 2020 | Modified: May 15, 2020
CVSS 3.x
5.4
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS 2.x
5.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a users session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8.

Weakness

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Affected Software

Name Vendor Start Version End Version
Pan-os Paloaltonetworks 7.1.0 (including) 7.1.26 (including)
Pan-os Paloaltonetworks 8.0.0 (including) 8.0.20 (including)
Pan-os Paloaltonetworks 8.1.0 (including) 8.1.13 (including)
Pan-os Paloaltonetworks 9.0.0 (including) 9.0.7 (including)

Extended Description

Such a scenario is commonly observed when:

Potential Mitigations

References