cbcvebase.
CVE-2018-0001
published 2018-01-10

CVE-2018-0001: A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection of…

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.33%
92.8th percentile
A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection of crafted data via specific PHP URLs within the context of the J-Web process. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D67; 12.3 versions prior to 12.3R12-S5; 12.3X48 versions prior to 12.3X48-D35; 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D44, 14.1X53-D50; 14.2 versions prior to 14.2R7-S7, 14.2R8; 15.1 versions prior to 15.1R3; 15.1X49 versions prior to 15.1X49-D30; 15.1X53 versions prior to 15.1X53-D70.

Affected

21 ranges
VendorProductVersion rangeFixed in
juniperj-web
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos_os
juniper_networksjunos_os>= 12.1X46 < 12.1X46-D6712.1X46-D67
juniper_networksjunos_os>= 12.3 < 12.3R12-S512.3R12-S5
juniper_networksjunos_os>= 12.3X48 < 12.3X48-D3512.3X48-D35
juniper_networksjunos_os>= 14.1 < 14.1R8-S5, 14.1R914.1R8-S5, 14.1R9
juniper_networksjunos_os>= 14.1X53 < 14.1X53-D44, 14.1X53-D5014.1X53-D44, 14.1X53-D50
juniper_networksjunos_os>= 14.2 < 14.2R7-S7, 14.2R814.2R7-S7, 14.2R8
juniper_networksjunos_os>= 15.1 < 15.1R315.1R3
juniper_networksjunos_os>= 15.1X49 < 15.1X49-D3015.1X49-D30
juniper_networksjunos_os>= 15.1X53 < 15.1X53-D7015.1X53-D70
mercurialmercurial>= 0 < 4.6.14.6.1

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit traffic targets the J-Web process via crafted PHP URLs; monitor HTTP/S requests to J-Web endpoints containing anomalous or malformed PHP URL patterns on Junos OS devices.
  • The attack is remote and unauthenticated; alert on unexpected or unauthenticated code execution attempts originating from external sources targeting J-Web (typically TCP/443 or TCP/80).
  • ·Vulnerable only on Junos OS versions prior to the fixed releases listed; verify device OS version before applying detections. Fixed versions include 12.1X46-D67, 12.3R12-S5, 12.3X48-D35, 14.1R8-S5/14.1R9, 14.1X53-D44/D50, 14.2R7-S7/14.2R8, 15.1R3, 15.1X49-D30, 15.1X53-D70.
  • ·The vulnerability is rooted in a use-after-free defect in older versions of PHP bundled with Junos OS J-Web; detections should be scoped to Juniper J-Web attack surface, not generic PHP deployments.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.