CVE-2020-1688Exposure of Private Personal Information to an Unauthorized Actor in Networks Junos OS

CWE-320CWE-359Exposure of Private Personal Information to an Unauthorized ActorCWE-522Insufficiently Protected CredentialsCWE-311Missing Encryption of Sensitive Data4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 82.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Juniper Networks Junos OSJuniper Junos
Timeline
PublishedOct 16
Latest updateMay 24

Description

On Juniper Networks SRX Series and NFX Series, a local authenticated user with access to the shell may obtain the Web API service private key that is used to provide encrypted communication between the Juniper device and the authenticator services. Exploitation of this vulnerability may allow an attacker to decrypt the communications between the Juniper device and the authenticator service. This Web API service is used for authentication services such as the Juniper Identity Management Service,

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages2 packages

CVEListV5juniper_networks/junos_os12.3X4812.3X48-D105+11
NVDjuniper/junos12 versions+11

🔴Vulnerability Details

2
GHSA
GHSA-cccx-r256-72j4: On Juniper Networks SRX Series and NFX Series, a local authenticated user with access to the shell may obtain the Web API service private key that is2022-05-24
CVEList
Junos OS: SRX and NFX Series: Insufficient Web API private key protection2020-10-16

📋Vendor Advisories

1
Juniper
CVE-2020-1688: On Juniper Networks SRX Series and NFX Series, a local authenticated user with access to the shell may obtain the Web API service private key that is2020-10-16
CVE-2020-1688 — Juniper Networks Junos OS vulnerability | cvebase