CVE-2024-3386

Summary

An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksPAN-OS9.0.0 < 9.0.17-h2affected
Palo Alto NetworksPAN-OS9.1.0 < 9.1.17affected
Palo Alto NetworksPAN-OS10.0.0 < 10.0.13affected
Palo Alto NetworksPAN-OS10.1.0 < 10.1.9-h3affected
Palo Alto NetworksPAN-OS10.1.0 < 10.1.10affected
Palo Alto NetworksPAN-OS10.2.0 < 10.2.4-h2affected
Palo Alto NetworksPAN-OS10.2.0 < 10.2.5affected
Palo Alto NetworksPAN-OS11.0.0 < 11.0.1-h2affected
Palo Alto NetworksPAN-OS11.0.0 < 11.0.2affected
Palo Alto NetworksPAN-OS11.1.0unaffected
Palo Alto NetworksCloud NGFWAllunaffected
Palo Alto NetworksPrisma AccessAllunaffected

Weaknesses

  • CWE-436: CWE-436 Interpretation Conflict

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References