How severe is CVE-2020-1978?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.4 out of 10.

What type of vulnerability is CVE-2020-1978?

This is classified as CWE-255, which is a common weakness in software security.

CVE-2020-1978

MEDIUM Year: 2020

CVSS v3 Score

4.4

Medium

CVSS v2 Score

1.9

Low

Weakness Type

CWE-255

View all →

Vulnerability Description

TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials.

CVE-2021-21522

MEDIUM

CVSS:4.4(Medium)

Dell BIOS contains a Credentials Management issue. A local authenticated malicious user may potentially exploit this vulnerability to gain access to sensitive information on an NVMe storage by resetti...

CWE-2552021

CVE-2021-1522

MEDIUM

CVSS:4.3(Medium)

A vulnerability in the change password API of Cisco Connected Mobile Experiences (CMX) could allow an authenticated, remote attacker to alter their own password to a value that does not comply with th...

CWE-2552021

CVE-2015-4400

MEDIUM

CVSS:4.6(Medium)

Ring (formerly DoorBot) video doorbells allow remote attackers to obtain sensitive information about the wireless network configuration by pressing the set up button and leveraging an API in the GainS...

CWE-2552015

CVE-2016-3685

MEDIUM

CVSS:4.7(Medium)

SAP Download Manager 2.1.142 and earlier generates an encryption key from a small key space on Windows and Mac systems, which allows context-dependent attackers to obtain sensitive configuration infor...

CWE-2552016

CVE-2016-8375

MEDIUM

CVSS:4.9(Medium)

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical...

CWE-2552016

CVE-2015-8945

MEDIUM

CVSS:5.1(Medium)

openshift-node in OpenShift Origin 1.1.6 and earlier improperly stores router credentials as envvars in the pod when the --credentials option is used, which allows local users to obtain sensitive priv...

CWE-2552015

CVE-2020-1978

Vulnerability Description

Related Vulnerabilities

CVE-2021-21522

CVE-2021-1522

CVE-2015-4400

CVE-2016-3685

CVE-2016-8375

CVE-2015-8945