CVE-2021-31384 — Improper Authorization in Networks Junos OS

CWE-285 — Improper Authorization CWE-551 — Incorrect Behavior Order: Authorization Before Parsing and Canonicalization CWE-862 — Missing Authorization CWE-939 — Improper Authorization in Handler for Custom URL Scheme CWE-1220 — Insufficient Granularity of Access Control4 documents4 sources

Severity

10.0CRITICALNVD

CNA7.2

EPSS

0.4%

top 41.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Juniper Networks Junos OS Juniper Junos

Timeline

PublishedOct 19

Latest updateMay 24

Description

Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web administrative interfaces can successfully do so from any device interface regardless of the web-management configuration and filter rules which may otherwise protect access to J-Web. This issue affects: Juniper Networks Junos OS SRX Series 20.4 version 20.4R1 a…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

▶CVEListV5juniper_networks/junos_os20.4R1 — 20.4*+1

▶NVDjuniper/junos20.4, 21.1+1

🔴Vulnerability Details

GHSA

GHSA-g6h6-r377-vh4m: Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in J↗2022-05-24

▶

CVEList

Junos OS: SRX Series: Under a specific device configuration an attacker can access the devices J-Web management services from any interface, regardless of security settings protecting the service↗2021-10-19

▶

📋Vendor Advisories

Juniper

CVE-2021-31384: Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in J↗2021-10-19

▶