Chris Johnston

**Name of the Vulnerable Software and Affected Versions** PAN-OS versions prior to 10.1.3 PAN-OS versions prior to 10.0.8 PAN-OS versions prior to 9.1.12 PAN-OS 9.0 versions PAN-OS versions prior to 8.1.21 Prisma Access versions 2.2 and 2.1 **Description** The issue arises from how PAN-OS software handles hostname patterns in custom URL category lists or external dynamic lists (EDL) used in URL Filtering profiles. Patterns not ending with a forward slash (/) or ending with an asterisk (*) can match any URL starting with the specified pattern, potentially allowing or blocking more URLs than intended. This represents a security risk, especially when such entries are used in policy rules that allow traffic. For example, `example.com` will match `example.com.website.test`, `example.com.*` will match `example.com.website.test`, and `example.com.^` will match `example.com.test`. It is recommended to use exact hostname names ending with a forward slash (/) instead of wildcards where possible. **Recommendations** For PAN-OS versions prior to 10.1.3, update to version 10.1.3 or later. For PAN-OS versions prior to 10.0.8, update to version 10.0.8 or later. For PAN-OS versions prior to 9.1.12, update to version 9.1.12 or later. For PAN-OS 9.0 versions, update to a version later than 9.0. For PAN-OS versions prior to 8.1.21, update to version 8.1.21 or later. For Prisma Access versions 2.2 and 2.1, consider changing the URL category list or EDL to mitigate the risk until a version update is available. As a temporary workaround, consider using exact hostname names ending with a forward slash (/) instead of wildcards in policy rules that allow traffic.