CVE-2022-22156Improper Certificate Validation in Networks Junos OS

CWE-295Improper Certificate ValidationCWE-300Channel Accessible by Non-EndpointCWE-358Improperly Implemented Security Check for Standard4 documents4 sources
Severity
7.4HIGHNVD
CNA6.5
EPSS
0.1%
top 69.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Juniper Networks Junos OSJuniper Junos
Timeline
PublishedJan 19
Latest updateJan 20

Description

An Improper Certificate Validation weakness in the Juniper Networks Junos OS allows an attacker to perform Person-in-the-Middle (PitM) attacks when a system script is fetched from a remote source at a specified HTTPS URL, which may compromise the integrity and confidentiality of the device. The following command can be executed by an administrator via the CLI to refresh a script from a remote location, which is affected from this vulnerability: >request system scripts refresh-from (commit | even

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages2 packages

CVEListV5juniper_networks/junos_osunspecified18.4R2-S9, 18.4R3-S9+9
NVDjuniper/junos18.3+10

🔴Vulnerability Details

2
GHSA
GHSA-74x6-4m9v-24wj: An Improper Certificate Validation weakness in the Juniper Networks Junos OS allows an attacker to perform Person-in-the-Middle (PitM) attacks when a2022-01-20
CVEList
Junos OS: Certificate validation is skipped when fetching system scripts from a HTTPS URL2022-01-19

📋Vendor Advisories

1
Juniper
CVE-2022-22156: An Improper Certificate Validation weakness in the Juniper Networks Junos OS allows an attacker to perform Person-in-the-Middle (PitM) attacks when a2022-01-19
CVE-2022-22156 — Improper Certificate Validation | cvebase