CVE-2020-2039: PAN-OS: Management web interface denial-of-service (DoS) through unauthenticated file upload
First published: Wed Sep 09 2020(Updated: )
An uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS allows for a remote unauthenticated user to upload temporary files through the management web interface that are not properly deleted after the request is finished. It is possible for an attacker to disrupt the availability of the management web interface by repeatedly uploading files until available disk space is exhausted. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.
Credit: psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Paloaltonetworks Pan-os | >=8.1.0<8.1.16 | |
| Paloaltonetworks Pan-os | >=9.0.0<9.0.10 | |
| Paloaltonetworks Pan-os | >=9.1.0<9.1.4 | |
| Paloaltonetworks Pan-os | >=10.0.0<10.0.1 |
Remedy
This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.4, PAN-OS 10.0.1, and all later PAN-OS versions.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-2039?
CVE-2020-2039 is an uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS that allows for a remote unauthenticated user to upload temporary files through the management web interface that are not properly deleted after the request is finished.
What is the severity of CVE-2020-2039?
The severity of CVE-2020-2039 is medium with a CVSS score of 5.3.
Which software versions are affected by CVE-2020-2039?
Palo Alto Networks PAN-OS versions 8.1.0 to 8.1.16, 9.0.0 to 9.0.10, 9.1.0 to 9.1.4, and 10.0.0 to 10.0.1 are affected by CVE-2020-2039.
How can an attacker exploit CVE-2020-2039?
An attacker can exploit CVE-2020-2039 by uploading temporary files through the management web interface and causing resource consumption that can disrupt the availability of the system.
Is there a fix for CVE-2020-2039?
Yes, Palo Alto Networks has released patches to address the vulnerability and users are advised to update to the latest version of PAN-OS.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/severity
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/remedy
- agent/author
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/paloaltonetworks
- canonical/paloaltonetworks pan-os
- version/paloaltonetworks pan-os/8.1.0
- version/paloaltonetworks pan-os/9.0.0
- version/paloaltonetworks pan-os/9.1.0
- version/paloaltonetworks pan-os/10.0.0