Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2021-3044
CVE-2021-3044:
Cortex XSOAR vulnerability analysis and mitigation
Overview
An improper authorization vulnerability (CVE-2021-3044) was discovered in Palo Alto Networks Cortex XSOAR that enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. The vulnerability affects Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064, and Cortex XSOAR 6.2.0 builds earlier than 1271065. The issue was discovered during internal security review and disclosed on June 22, 2021 (Palo Alto).
Technical details
The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue is applicable only to Cortex XSOAR configurations with active API key integrations. While this is not a remote code execution vulnerability, it enables an unauthorized attacker to perform actions on behalf of an active Cortex XSOAR integration, including running commands and automations in the Cortex XSOAR War Room (Palo Alto).
Impact
The vulnerability allows an unauthorized attacker to perform actions through the REST API with the privileges of an active Cortex XSOAR integration. This includes the ability to run commands and automations in the Cortex XSOAR War Room, potentially compromising the integrity of the system and its data. The exploitation can also impact the integrity of audit trails, making it impossible to conclusively determine if a Cortex XSOAR instance was compromised (Palo Alto).
Mitigation and workarounds
The vulnerability was fixed in Cortex XSOAR 6.1.0 build 1271064, Cortex XSOAR 6.2.0 build 1271065, and all later versions. Until the XSOAR server is upgraded, users must revoke all active integration API keys as a workaround. This can be done from the Cortex XSOAR web client by navigating to Settings > Integration > API Keys and revoking each API key. New API keys can be created after upgrading to a fixed version. Additionally, restricting network access to the Cortex XSOAR server to allow only trusted users reduces the impact of this issue (Palo Alto).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management