Alycia N. Carey

**Name of the Vulnerable Software and Affected Versions** PAN-OS versions 7.1.23 and earlier PAN-OS versions 8.0.18 and earlier PAN-OS versions 8.1.8-h4 and earlier PAN-OS versions 9.0.2 and earlier **Description** The issue is related to information disclosure in PAN-OS, which may allow an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API, possibly escalating privileges granted to them. This is due to a lack of protection for service data. **Recommendations** For PAN-OS versions 7.1.23 and earlier, update to a version later than 7.1.23 to resolve the issue. For PAN-OS versions 8.0.18 and earlier, update to a version later than 8.0.18 to resolve the issue. For PAN-OS versions 8.1.8-h4 and earlier, update to a version later than 8.1.8-h4 to resolve the issue. For PAN-OS versions 9.0.2 and earlier, update to a version later than 9.0.2 to resolve the issue. As a temporary workaround, consider restricting access to the XML API until a patch is available.