CVE-2022-0019

GlobalProtect App: Insufficiently Protected Credentials Vulnerability on Linux

Description

An insufficiently protected credentials vulnerability exists in the Palo Alto Networks GlobalProtect app on Linux that exposes the hashed credentials of GlobalProtect users that saved their password during previous GlobalProtect app sessions to other local users on the system. The exposed credentials enable a local attacker to authenticate to the GlobalProtect portal or gateway as the target user without knowing of the target user’s plaintext password. This issue impacts: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.10 on Linux. GlobalProtect app 5.2 versions earlier than and including GlobalProtect app 5.2.7 on Linux. GlobalProtect app 5.3 versions earlier than GlobalProtect app 5.3.2 on Linux. This issue does not affect the GlobalProtect app on other platforms.

Remediation

Solution:

  • This issue is fixed in GlobalProtect app 5.1.10 on Linux, GlobalProtect app 5.3.2 on Linux, and all later GlobalProtect app versions. Existing credentials files that are exposed by this issue will be secured when the fixed GlobalProtect app is launched.

Workaround:

  • Users should not save their credentials until the GlobalProtect app is upgraded to a fixed version. GlobalProtect portal administrators can prevent GlobalProtect app users from saving their credentials on the next connection to the GlobalProtect portal by preventing ‘Save User Credentials’ from the portal agent configuration as described here: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/customizable-app-settings/user-behavior-options.html

Category

4.7
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.04%
Vendor Advisory paloaltonetworks.com
Affected: Palo Alto Networks GlobalProtect App
Published at:
Updated at:

References

Link Tags
https://security.paloaltonetworks.com/CVE-2022-0019 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-0019?
CVE-2022-0019 has been scored as a medium severity vulnerability.
How to fix CVE-2022-0019?
To fix CVE-2022-0019: This issue is fixed in GlobalProtect app 5.1.10 on Linux, GlobalProtect app 5.3.2 on Linux, and all later GlobalProtect app versions. Existing credentials files that are exposed by this issue will be secured when the fixed GlobalProtect app is launched.
Is CVE-2022-0019 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-0019 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-0019?
CVE-2022-0019 affects Palo Alto Networks GlobalProtect App.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.