CVE-2020-1998

An improper authorization vulnerability in PAN-OS that mistakenly uses the permissions of local linux users instead of the intended SAML permissions of the account when the username is shared for the purposes of SSO authentication. This can result in authentication bypass and unintended resource access for the user. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; PAN-OS 9.1 versions earlier than 9.1.1; All versions of PAN-OS 8.0.

Published: May 13, 2020
Updated: Apr 13, 2023
CVE: CVE-2020-1998
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
paloaltonetworks / pan-os	9.0.0	9.0.6
paloaltonetworks / pan-os	8.1.0	8.1.13
paloaltonetworks / pan-os	8.0.0	8.0.20.x
paloaltonetworks / pan-os	7.1.0	7.1.26
paloaltonetworks / pan-os	9.1.0	9.1.1

https://security.paloaltonetworks.com/CVE-2020-1998

Vulnerability Database

290,206

CVE-2020-1998