CVE-2025-2181
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-08-13
Assigner: Palo Alto Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| palo_alto_networks | checkov_by_prisma_cloud | 3.2.449 |
| palo_alto_networks | checkov_by_prisma_cloud | 3.2.448 |
| palo_alto_networks | checkov_by_prisma_cloud | 3.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Palo Alto Networks Checkov by Prisma Cloud causes Prisma Cloud access keys to be exposed in cleartext within Checkov's output files. This means sensitive access keys can be found by anyone who can access these output files, potentially allowing unauthorized access to Prisma Cloud resources. The issue affects Checkov versions 3.2.0 up to but not including 3.2.449, requires no special configuration, and involves low attack complexity but requires user interaction and access to the output files. [1]
How can this vulnerability impact me? :
The vulnerability can lead to the exposure of Prisma Cloud access keys, which are sensitive credentials. If an attacker obtains these keys, they could potentially access and manipulate Prisma Cloud resources, leading to a compromise of confidentiality. The impact on confidentiality is high, while integrity and availability are not affected. This could result in unauthorized access to cloud environments and data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for Checkov output files that contain Prisma Cloud access keys in cleartext. Since no special configuration is required for the vulnerability to be present, you can look for output files generated by Checkov versions 3.2.0 up to 3.2.448. Commands to detect exposed keys could include searching for known key patterns or keywords in Checkov output files, for example using grep on Linux systems: grep -r 'access_key' /path/to/checkov/output or searching for files containing sensitive strings related to Prisma Cloud access keys. However, no specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate steps to mitigate this vulnerability are to upgrade Checkov to version 3.2.449 or later, as this version addresses the cleartext exposure issue. Additionally, after upgrading, all Prisma Cloud access keys used by Checkov should be rotated to prevent misuse of any potentially exposed keys. There are no known workarounds or mitigations other than upgrading and key rotation. [1]