CVE-2021-31386Channel Accessible by Non-Endpoint in Networks Junos OS

CWE-300Channel Accessible by Non-EndpointCWE-311Missing Encryption of Sensitive DataCWE-325Missing Cryptographic StepCWE-693Protection Mechanism Failure4 documents4 sources
Severity
5.9MEDIUMNVD
CNA5.3
EPSS
0.1%
top 64.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Juniper Networks Junos OSJuniper Junos
Timeline
PublishedOct 19
Latest updateMay 24

Description

A Protection Mechanism Failure vulnerability in the J-Web HTTP service of Juniper Networks Junos OS allows a remote unauthenticated attacker to perform Person-in-the-Middle (PitM) attacks against the device. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S20; 15.1 versions prior to 15.1R7-S11; 18.3 versions prior to 18.3R3-S6; 18.4 versions prior to 18.4R3-S10; 19.1 versions prior to 19.1R3-S7; 19.2 versions prior to 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

CVEListV5juniper_networks/junos_os12.312.3R12-S20+13
NVDjuniper/junos14 versions+13

🔴Vulnerability Details

2
GHSA
GHSA-5cg5-qvwp-fmh7: A Protection Mechanism Failure vulnerability in the J-Web HTTP service of Juniper Networks Junos OS allows a remote unauthenticated attacker to perfor2022-05-24
CVEList
Junos OS: When using J-Web with HTTP an attacker may retrieve encryption keys via Person-in-the-Middle attacks.2021-10-19

📋Vendor Advisories

1
Juniper
CVE-2021-31386: A Protection Mechanism Failure vulnerability in the J-Web HTTP service of Juniper Networks Junos OS allows a remote unauthenticated attacker to perfor2021-10-19
CVE-2021-31386 — Channel Accessible by Non-Endpoint | cvebase