CVE-2021-0256Execution with Unnecessary Privileges in Networks Junos OS

CWE-250Execution with Unnecessary PrivilegesCWE-269Improper Privilege Management4 documents4 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 89.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Juniper Networks Junos OSJuniper Junos
Timeline
PublishedApr 22
Latest updateMay 24

Description

A sensitive information disclosure vulnerability in the mosquitto message broker of Juniper Networks Junos OS may allow a locally authenticated user with shell access the ability to read portions of sensitive files, such as the master.passwd file. Since mosquitto is shipped with setuid permissions enabled and is owned by the root user, this vulnerability may allow a local privileged user the ability to run mosquitto with root privileges and access sensitive information stored on the local filesy

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5juniper_networks/junos_os17.317.3R3-S12+8
NVDjuniper/junos14 versions+13

🔴Vulnerability Details

2
GHSA
GHSA-fchr-g73c-p263: A sensitive information disclosure vulnerability in the mosquitto message broker of Juniper Networks Junos OS may allow a locally authenticated user w2022-05-24
CVEList
Junos OS: mosquitto Local Privilege Escalation vulnerability in SUID binaries2021-04-22

📋Vendor Advisories

1
Juniper
CVE-2021-0256: A sensitive information disclosure vulnerability in the mosquitto message broker of Juniper Networks Junos OS may allow a locally authenticated user w2021-04-22
CVE-2021-0256 — Execution with Unnecessary Privileges | cvebase