CVE-2021-31350 — Improper Privilege Management in Networks Junos OS

CWE-269 — Improper Privilege Management4 documents4 sources

Severity

8.8HIGHNVD

CNA7.5

EPSS

0.3%

top 43.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Juniper Networks Junos OS Juniper Networks Junos OS Evolved Juniper Junos +1 more

Timeline

PublishedOct 19

Latest updateMay 24

Description

An Improper Privilege Management vulnerability in the gRPC framework, used by the Juniper Extension Toolkit (JET) API on Juniper Networks Junos OS and Junos OS Evolved, allows a network-based, low-privileged authenticated attacker to perform operations as root, leading to complete compromise of the targeted system. The issue is caused by the JET service daemon (jsd) process authenticating the user, then passing configuration operations directly to the management daemon (mgd) process, which runs …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5juniper_networks/junos_os_evolvedunspecified — 20.4R2-EVO+1

▶CVEListV5juniper_networks/junos_os18.4 — 18.4R1-S8, 18.4R2-S8, 18.4R3-S8+8

▶NVDjuniper/junos_os_evolved10 versions+9

▶NVDjuniper/junos9 versions+8

Patches

Patch: kb.juniper.net ↗Patch: kb.juniper.net ↗

🔴Vulnerability Details

GHSA

GHSA-8jxq-fcr2-68jw: An Improper Privilege Management vulnerability in the gRPC framework, used by the Juniper Extension Toolkit (JET) API on Juniper Networks Junos OS and↗2022-05-24

▶

CVEList

Junos OS and Junos OS Evolved: Privilege escalation vulnerability in Juniper Extension Toolkit (JET)↗2021-10-19

▶

📋Vendor Advisories

Juniper

CVE-2021-31350: An Improper Privilege Management vulnerability in the gRPC framework, used by the Juniper Extension Toolkit (JET) API on Juniper Networks Junos OS and↗2021-10-19

▶