| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| utility.c in telnetd in netkit telnet through 0.17 allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions. |
| An Improper Validation of Syntactic Correctness of Input vulnerability in the Web-Filtering module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
If an SRX device configured for UTM Web-Filtering receives a specifically malformed SSL packet, this will cause an FPC crash and restart.
This issue affects Junos OS on SRX Series:
* 23.2 versions from 23.2R2-S2 before 23.2R2-S5,
* 23.4 versions from 23.4R2-S1 before 23.4R2-S5,
* 24.2 versions before 24.2R2-S2,
* 24.4 versions before 24.4R1-S3, 24.4R2.
Earlier versions of Junos are also affected, but no fix is available. |
| An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on EX4k Series and QFX5k Series platforms allows an unauthenticated network-adjacent attacker flapping an interface to cause traffic between VXLAN Network Identifiers (VNIs) to drop, leading to a Denial of Service (DoS).
On all EX4k and QFX5k platforms, a link flap in an
EVPN-VXLAN configuration Link Aggregation Group (LAG)
results in Inter-VNI traffic dropping when there are multiple load-balanced next-hop routes for the same destination.
This issue is only applicable to systems that support EVPN-VXLAN Virtual Port-Link Aggregation Groups (VPLAG), such as the QFX5110, QFX5120, QFX5200, EX4100, EX4300, EX4400, and EX4650.
Service can only be restored by restarting the affected FPC via the 'request chassis fpc restart slot <slot-number>' command.
This issue affects Junos OS
on EX4k and QFX5k Series:
* all versions before 21.4R3-S12,
* all versions of 22.2
* from 22.4 before 22.4R3-S8,
* from 23.2 before 23.2R2-S5,
* from 23.4 before 23.4R2-S5,
* from 24.2 before 24.2R2-S3,
* from 24.4 before 24.4R2. |
| A Buffer Copy without Checking Size of Input vulnerability in the
Session Initialization Protocol (SIP) ALG of Juniper Networks Junos OS on MX Series and SRX Series allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).
When memory utilization is high, and specific SIP packets are received, flowd/mspmand crashes. While the system recovers automatically, the disruption can significantly impact service stability. Continuous receipt of these specific SIP packets, while high utilization is present, will cause a sustained DoS condition. The utilization is outside the attackers control, so they would not be able to deterministically exploit this.
This issue affects Junos OS on SRX Series and MX Series:
* All versions before 22.4R3-S7,
* from 23.2 before 23.2R2-S4,
* from 23.4 before 23.4R2-S5,
* from 24.2 before 24.2R2. |
| An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.
A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device.
This issue is not exploitable from the Junos CLI.
This issue affects Junos OS:
* All versions before 21.2R3-S9,
* 21.4 versions before 21.4R3-S10,
* 22.2 versions before 22.2R3-S6,
* 22.4 versions before 22.4R3-S6,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R1-S2, 24.2R2. |
| A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environment variables.
Using a crafted request an attacker is able to modify
certain PHP environment variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on EX Series:
* All versions prior to 20.4R3-S9;
* 21.1 versions 21.1R1 and later;
* 21.2 versions prior to 21.2R3-S7;
* 21.3 versions
prior to
21.3R3-S5;
* 21.4 versions
prior to
21.4R3-S5;
* 22.1 versions
prior to
22.1R3-S4;
* 22.2 versions
prior to
22.2R3-S2;
* 22.3 versions
prior to 22.3R3-S1;
* 22.4 versions
prior to
22.4R2-S2, 22.4R3;
* 23.2 versions prior to
23.2R1-S1, 23.2R2. |
| A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series
and SRX Series
allows an unauthenticated, network-based attacker to remotely execute code.
Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code.
This issue affects Juniper Networks Junos OS on EX Series
and
SRX Series:
* All versions prior to
20.4R3-S9;
* 21.1 versions 21.1R1 and later;
* 21.2 versions prior to 21.2R3-S7;
* 21.3 versions prior to 21.3R3-S5;
* 21.4 versions prior to 21.4R3-S5;
* 22.1 versions
prior to
22.1R3-S4;
* 22.2 versions
prior to
22.2R3-S2;
* 22.3 versions
prior to
22.3R2-S2, 22.3R3-S1;
* 22.4 versions
prior to
22.4R2-S1, 22.4R3;
* 23.2 versions prior to 23.2R1-S1, 23.2R2. |
| A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.
With a specific request to user.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of
integrity
for a certain
part of the file system, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on SRX Series:
* All versions prior to 20.4R3-S8;
* 21.1 versions 21.1R1 and later;
* 21.2 versions prior to 21.2R3-S6;
* 21.3 versions
prior to
21.3R3-S5;
* 21.4 versions
prior to
21.4R3-S5;
* 22.1 versions
prior to
22.1R3-S3;
* 22.2 versions
prior to
22.2R3-S2;
* 22.3 versions
prior to
22.3R2-S2, 22.3R3;
* 22.4 versions
prior to
22.4R2-S1, 22.4R3.
|
| A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.
With a specific request to installAppPackage.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of
integrity
for a certain
part of the file system, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on EX Series:
* All versions prior to 20.4R3-S8;
* 21.1 versions 21.1R1 and later;
* 21.2 versions prior to 21.2R3-S6;
* 21.3 versions
prior to
21.3R3-S5;
* 21.4 versions
prior to
21.4R3-S4;
* 22.1 versions
prior to
22.1R3-S3;
* 22.2 versions
prior to
22.2R3-S1;
* 22.3 versions
prior to
22.3R2-S2, 22.3R3;
* 22.4 versions
prior to
22.4R2-S1, 22.4R3.
|
| A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.
With a specific request to
webauth_operation.php
that doesn't require authentication, an attacker is able to upload and download arbitrary files via J-Web, leading to a loss of
integrity or confidentiality, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on SRX Series:
*
21.2 versions prior to 21.2R3-S8;
* 21.4
versions prior to
21.4R3-S6;
* 22.1
versions prior to
22.1R3-S5;
* 22.2
versions prior to
22.2R3-S3;
* 22.3
versions prior to
22.3R3-S2;
* 22.4 versions prior to 22,4R2-S2, 22.4R3;
* 23.2 versions prior to
23.2R1-S2, 23.2R2.
|
| A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with 'world' readable permission file or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user 'nobody', the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with 'world' readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns "=*;*&" or "*%3b*&" in /var/log/httpd.log, using the following command: user@device> show log httpd.log | match "=*;*&|=*%3b*&" If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device> show log httpd.log.0.gz | match "=*;*&|=*%3b*&" user@device> show log httpd.log.1.gz | match "=*;*&|=*%3b*&" Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S16; 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105; 14.1X53 versions prior to 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S5, 19.1R3-S1; 19.1 version 19.1R2 and later versions; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2. |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to store script tags directly in web pages that, when viewed by another user, enable the attacker to execute commands with the target's administrative permissions.
This issue affects all versions of Junos Space before 24.1R4. |
| An Authentication Bypass by Primary Weakness
in the FTP server of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to get limited read-write access to files on the device.
When the FTP server is enabled and a user named "ftp" or "anonymous" is configured, that user can login without providing the configured password and then has read-write access to their home directory.
This issue affects Junos OS:
* all versions before 22.4R3-S8,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2. |
| An Origin Validation Error vulnerability in an insufficient protected file of Juniper Networks Junos OS on EX4600 Series and QFX5000 Series allows an unauthenticated attacker with physical access to the device to create a backdoor which allows complete control of the system.
When a device isn't configured with a root password, an attacker can modify a specific file. It's contents will be added to the Junos configuration of the device without being visible. This allows for the addition of any configuration unknown
to the actual operator, which includes users, IP addresses and other configuration which could allow unauthorized access to the device.
This exploit is persistent across reboots and even zeroization.
The indicator of compromise is a modified /etc/config/<platform>-defaults[-flex].conf file. Review that file for unexpected configuration statements, or compare it to an unmodified version which can be extracted from the original Juniper software image file. For details on the extraction procedure please contact Juniper Technical Assistance Center (JTAC).
To restore the device to a trusted initial configuration the system needs to be reinstalled from physical media.
This issue affects Junos OS on EX4600 Series and QFX5000 Series:
* All versions before 21.4R3,
* 22.2 versions before 22.2R3-S3. |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Secure Console page that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.
This issue affects all versions of Junos Space before 24.1R4. |
| An Access of Uninitialized Pointer vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved with BGP sharding configured allows an attacker triggering indirect next-hop updates, along with timing outside the attacker's control, to cause rpd to crash and restart, leading to a Denial of Service (DoS).
With BGP sharding enabled, triggering route resolution of an indirect next-hop (e.g., an IGP route change over which a BGP route gets resolved), may cause rpd to crash and restart. An attacker causing continuous IGP route churn, resulting in repeated route re-resolution, will increase the likelihood of triggering this issue, leading to a potentially extended DoS condition.
This issue affects:
Junos OS:
* all versions before 21.4R3-S6,
* from 22.1 before 22.1R3-S6,
* from 22.2 before 22.2R3-S3,
* from 22.3 before 22.3R3-S3,
* from 22.4 before 22.4R3,
* from 23.2 before 23.2R2;
Junos OS Evolved:
* all versions before 22.3R3-S3-EVO,
* from 22.4 before 22.4R3-EVO,
* from 23.2 before 23.2R2-EVO.
Versions before Junos OS 21.3R1 and Junos OS Evolved 21.3R1-EVO are unaffected by this issue. |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the API Access Profiles page that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.
This issue affects all versions of Junos Space before 24.1R4. |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the arbitrary device search field that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.This issue affects all versions of Junos Space before 24.1R4. |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Template Definition page, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.This issue affects all versions of Junos Space before 24.1R4. |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Template Definitions page that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.
This issue affects all versions of Junos Space before 24.1R4. |
