CVE-2020-0051: 
NixOS vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2020-2001) was discovered in Palo Alto Networks PAN-OS Panorama XSLT processing logic. The vulnerability affects the management interface of various PAN-OS versions including all PAN-OS 7.1 Panorama and 8.0 Panorama versions, PAN-OS 8.1 versions earlier than 8.1.12, and PAN-OS 9.0 versions earlier than 9.0.6 (Palo Alto).

The vulnerability is classified as an external control of path and data vulnerability in the XSLT processing logic. It received a CVSSv3.1 Base Score of 8.1 (HIGH) with attack vector being Network, attack complexity High, and no privileges or user interaction required. The weakness type is categorized as CWE-123 Write-what-where Condition (Palo Alto).

The vulnerability allows an unauthenticated user with network access to the PAN-OS management interface to write attacker-supplied files on the system and elevate privileges. This can lead to high impacts on confidentiality, integrity, and availability of the system (Palo Alto).

The vulnerability has been fixed in PAN-OS 8.1.12, PAN-OS 9.0.6, and all later PAN-OS versions. For affected systems, Palo Alto Networks recommends following best practices for securing the PAN-OS management web interface as detailed in their technical documentation. PAN-OS 7.1 is on extended support until June 30, 2020, and PAN-OS 8.0 is end-of-life as of October 31, 2019 (Palo Alto).

The vulnerability was discovered by Ben Nott of Palo Alto Networks during an internal security review (Palo Alto).