CVE-2021-3055 : An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interf

An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that causes the service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.6. This issue does not affect Prisma Access.

Published 2021-09-08 17:15:12

Updated 2021-09-15 19:04:40

Source Palo Alto Networks, Inc.

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injectionDenial of service

Exploit prediction scoring system (EPSS) score for CVE-2021-3055

Probability of exploitation activity in the next 30 days: 0.10%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 42 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-3055

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:S/C:P/I:N/A:C	8.0	7.8	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Complete
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H	1.2	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: High
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H	1.2	5.2	Palo Alto Networks, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: High

CWE ids for CVE-2021-3055

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Assigned by:
- nvd@nist.gov (Primary)
- psirt@paloaltonetworks.com (Secondary)

References for CVE-2021-3055

https://security.paloaltonetworks.com/CVE-2021-3055

CVE-2021-3055 PAN-OS: XML External Entity (XXE) Reference Vulnerability in the PAN-OS Web Interface
Vendor Advisory

Products affected by CVE-2021-3055

Paloaltonetworks » Pan-os
Versions from including (>=) 9.1.0 and before (<) 9.1.10
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
Matching versions
Paloaltonetworks » Pan-os
Versions from including (>=) 8.1.0 and before (<) 8.1.20
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
Matching versions
Paloaltonetworks » Pan-os
Versions from including (>=) 9.0.0 and before (<) 9.0.14
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
Matching versions
Paloaltonetworks » Pan-os
Versions from including (>=) 10.0.0 and before (<) 10.0.6
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2021-3055

Exploit prediction scoring system (EPSS) score for CVE-2021-3055

CVSS scores for CVE-2021-3055

CWE ids for CVE-2021-3055

References for CVE-2021-3055

Products affected by CVE-2021-3055