Refine your search
3 vulnerabilities found for by juniper
CVE-2025-21590 (GCVE-0-2025-21590)
Vulnerability from cvelistv5
Published
2025-03-12 13:59
Modified
2025-10-21 22:55
Severity ?
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
6.7 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
6.7 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-653 - Improper Isolation or Compartmentalization
Summary
An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.
A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device.
This issue is not exploitable from the Junos CLI.
This issue affects Junos OS:Â
* All versions before 21.2R3-S9,
* 21.4 versions before 21.4R3-S10,Â
* 22.2 versions before 22.2R3-S6,Â
* 22.4 versions before 22.4R3-S6,Â
* 23.2 versions before 23.2R2-S3,Â
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R1-S2, 24.2R2.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos OS |
Version: 0 ≤ Version: 21.4 ≤ Version: 22.2 ≤ Version: 22.4 ≤ Version: 23.2 ≤ Version: 23.4 ≤ Version: 24.2 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-21590",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-14T03:55:21.999597Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-03-13",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21590"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:23.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21590"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-13T00:00:00+00:00",
"value": "CVE-2025-21590 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "21.2R3-S9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "21.4R3-S10",
"status": "affected",
"version": "21.4",
"versionType": "semver"
},
{
"lessThan": "22.2R3-S6",
"status": "affected",
"version": "22.2",
"versionType": "semver"
},
{
"lessThan": "22.4R3-S6",
"status": "affected",
"version": "22.4",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S3",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S4",
"status": "affected",
"version": "23.4",
"versionType": "semver"
},
{
"lessThan": "24.2R1-S2, 24.2R2",
"status": "affected",
"version": "24.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Juniper SIRT would like to acknowledge and thank Matteo Memelli from Amazon for responsibly reporting this issue. Note: Amazon found the issue during internal security research and not due to exploitation."
}
],
"datePublic": "2025-03-12T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.\u003cbr\u003e\u003cbr\u003eA local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device.\u003cbr\u003eThis issue is not exploitable from the Junos CLI.\u003cbr\u003e\u003cp\u003eThis issue affects Junos OS:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll versions before 21.2R3-S9,\u003c/li\u003e\u003cli\u003e21.4 versions before 21.4R3-S10,\u0026nbsp;\u003c/li\u003e\u003cli\u003e22.2 versions before 22.2R3-S6,\u0026nbsp;\u003c/li\u003e\u003cli\u003e22.4 versions before 22.4R3-S6,\u0026nbsp;\u003c/li\u003e\u003cli\u003e23.2 versions before 23.2R2-S3,\u0026nbsp;\u003c/li\u003e\u003cli\u003e23.4 versions before 23.4R2-S4,\u003c/li\u003e\u003cli\u003e24.2 versions before 24.2R1-S2, 24.2R2.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.\n\nA local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device.\nThis issue is not exploitable from the Junos CLI.\nThis issue affects Junos OS:\u00a0\n\n\n\n * All versions before 21.2R3-S9,\n * 21.4 versions before 21.4R3-S10,\u00a0\n * 22.2 versions before 22.2R3-S6,\u00a0\n * 22.4 versions before 22.4R3-S6,\u00a0\n * 23.2 versions before 23.2R2-S3,\u00a0\n * 23.4 versions before 23.4R2-S4,\n * 24.2 versions before 24.2R1-S2, 24.2R2."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "At least one instance of malicious exploitation has been reported to the Juniper SIRT. Customers are encouraged to upgrade to a fixed release as soon as it\u0027s available and in the meantime take steps to mitigate this vulnerability."
}
],
"value": "At least one instance of malicious exploitation has been reported to the Juniper SIRT. Customers are encouraged to upgrade to a fixed release as soon as it\u0027s available and in the meantime take steps to mitigate this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T08:00:02.011Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA93446"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe following software releases have been updated to resolve this specific issue: 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases.\u003c/p\u003e\n\u003cp\u003e\u0026nbsp;\u003c/p\u003e\n\u003cp\u003ePlease note that this issue is not fixed for all platforms in the releases specified in the solution section.\u003c/p\u003e\n\u003cp\u003eFor the following products the fix is only available in these releases:\u003c/p\u003e\n\u003cp\u003eSRX300 Series\u2003\u0026nbsp; 21.2R3-S9, 23.4R2-S5*, 24.4R1\u003c/p\u003e\n\u003cp\u003eSRX550HM\u2003\u2003\u2003 22.2R3-S7*\u003c/p\u003e\n\u003cp\u003eEX4300 Series \u0026nbsp; \u0026nbsp; 21.4R3-S11* (except EX4300-48MP which has fixes available as indicated in the solution)\u003c/p\u003e\n\u003cp\u003eEX4600 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 21.4R3-S11* (except EX4650 which has fixes available as indicated in the solution)\u003c/p\u003e\n\u003cp\u003eACX1000, ACX1100, ACX2100, ACX2200, ACX4000,\u003c/p\u003e\n\u003cp\u003eACX500 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;21.2R3-S9\u003c/p\u003e\n\u003cp\u003eMX104 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 21.2R3-S9\u003c/p\u003e\n\u003cp\u003e* Future Release\u0026nbsp;\u003c/p\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue: 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases.\n\n\n\u00a0\n\n\nPlease note that this issue is not fixed for all platforms in the releases specified in the solution section.\n\n\nFor the following products the fix is only available in these releases:\n\n\nSRX300 Series\u2003\u00a0 21.2R3-S9, 23.4R2-S5*, 24.4R1\n\n\nSRX550HM\u2003\u2003\u2003 22.2R3-S7*\n\n\nEX4300 Series \u00a0 \u00a0 21.4R3-S11* (except EX4300-48MP which has fixes available as indicated in the solution)\n\n\nEX4600 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 21.4R3-S11* (except EX4650 which has fixes available as indicated in the solution)\n\n\nACX1000, ACX1100, ACX2100, ACX2200, ACX4000,\n\n\nACX500 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a021.2R3-S9\n\n\nMX104 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 21.2R3-S9\n\n\n* Future Release"
}
],
"source": {
"advisory": "JSA93446",
"defect": [
"1838460",
"1872010"
],
"discovery": "USER"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-12T14:00:00.000Z",
"value": "Initial Publication"
},
{
"lang": "en",
"time": "2025-03-12T15:16:00.000Z",
"value": "Corrected hotlinks for CVSS assessments"
},
{
"lang": "en",
"time": "2025-03-14T14:00:00.000Z",
"value": "Rephrased sentences on Amazon involvement to reduce the chance for confusion"
},
{
"lang": "en",
"time": "2025-04-09T08:17:00.000Z",
"value": "Updated solution section to clarify which platforms are not fixed in all but only in specific releases"
},
{
"lang": "en",
"time": "2025-04-14T07:15:00.000Z",
"value": "For the products/platforms specifically mentioned in the solution section: Please note that Junos OS version 21.2R3-S9.20, which was made available last week, does not address the issue completely. We\u0027ll publish an updated version with the complete fix and update this advisory as soon as possible."
},
{
"lang": "en",
"time": "2025-05-06T08:00:00.000Z",
"value": "For the products/platforms specifically mentioned in the solution section: Please note that Junos OS version 21.2R3-S9.21 has been publish with the complete fix."
}
],
"title": "Junos OS: An local attacker with shell access can execute arbitrary code",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is strongly recommended to mitigate the risk of exploitation by restricting shell access to trusted users only.\n\n\u003cbr\u003e"
}
],
"value": "It is strongly recommended to mitigate the risk of exploitation by restricting shell access to trusted users only."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-21590",
"datePublished": "2025-03-12T13:59:43.038Z",
"dateReserved": "2024-12-26T14:47:11.667Z",
"dateUpdated": "2025-10-21T22:55:23.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1631 (GCVE-0-2020-1631)
Vulnerability from cvelistv5
Published
2020-05-04 09:25
Modified
2025-10-21 23:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with 'world' readable permission file or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user 'nobody', the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with 'world' readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns "=*;*&" or "*%3b*&" in /var/log/httpd.log, using the following command: user@device> show log httpd.log | match "=*;*&|=*%3b*&" If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device> show log httpd.log.0.gz | match "=*;*&|=*%3b*&" user@device> show log httpd.log.1.gz | match "=*;*&|=*%3b*&" Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S16; 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105; 14.1X53 versions prior to 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S5, 19.1R3-S1; 19.1 version 19.1R2 and later versions; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos OS |
Version: 12.3 < 12.3R12-S16 Version: 12.3X48 < 12.3X48-D101, 12.3X48-D105 Version: 14.1X53 < 14.1X53-D54 Version: 15.1 < 15.1R7-S7 Version: 15.1X49 < 15.1X49-D211, 15.1X49-D220 Version: 16.1 < 16.1R7-S8 Version: 17.2 < 17.2R3-S4 Version: 17.3 < 17.3R3-S8 Version: 17.4 < 17.4R2-S11, 17.4R3-S2 Version: 18.1 < 18.1R3-S10 Version: 18.2 < 18.2R2-S7, 18.2R3-S4 Version: 18.3 < 18.3R2-S4, 18.3R3-S2 Version: 18.4 < 18.4R1-S7, 18.4R3-S2 Version: 19.1 < 19.1R1-S5, 19.1R3-S1 Version: 19.2 < 19.2R2 Version: 19.3 < 19.3R2-S3, 19.3R3 Version: 19.4 < 19.4R1-S2, 19.4R2 Version: 20.1 < 20.1R1-S1, 20.1R2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:46:30.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kb.juniper.net/JSA11021"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-1631",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T12:53:09.940482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1631"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:35:44.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1631"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-25T00:00:00+00:00",
"value": "CVE-2020-1631 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "12.3R12-S16",
"status": "affected",
"version": "12.3",
"versionType": "custom"
},
{
"lessThan": "12.3X48-D101, 12.3X48-D105",
"status": "affected",
"version": "12.3X48",
"versionType": "custom"
},
{
"lessThan": "14.1X53-D54",
"status": "affected",
"version": "14.1X53",
"versionType": "custom"
},
{
"lessThan": "15.1R7-S7",
"status": "affected",
"version": "15.1",
"versionType": "custom"
},
{
"lessThan": "15.1X49-D211, 15.1X49-D220",
"status": "affected",
"version": "15.1X49",
"versionType": "custom"
},
{
"lessThan": "16.1R7-S8",
"status": "affected",
"version": "16.1",
"versionType": "custom"
},
{
"lessThan": "17.2R3-S4",
"status": "affected",
"version": "17.2",
"versionType": "custom"
},
{
"lessThan": "17.3R3-S8",
"status": "affected",
"version": "17.3",
"versionType": "custom"
},
{
"lessThan": "17.4R2-S11, 17.4R3-S2",
"status": "affected",
"version": "17.4",
"versionType": "custom"
},
{
"lessThan": "18.1R3-S10",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThan": "18.2R2-S7, 18.2R3-S4",
"status": "affected",
"version": "18.2",
"versionType": "custom"
},
{
"lessThan": "18.3R2-S4, 18.3R3-S2",
"status": "affected",
"version": "18.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "18.4R2",
"status": "affected"
}
],
"lessThan": "18.4R1-S7, 18.4R3-S2",
"status": "affected",
"version": "18.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "19.1R2",
"status": "affected"
}
],
"lessThan": "19.1R1-S5, 19.1R3-S1",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"lessThan": "19.2R2",
"status": "affected",
"version": "19.2",
"versionType": "custom"
},
{
"lessThan": "19.3R2-S3, 19.3R3",
"status": "affected",
"version": "19.3",
"versionType": "custom"
},
{
"lessThan": "19.4R1-S2, 19.4R2",
"status": "affected",
"version": "19.4",
"versionType": "custom"
},
{
"lessThan": "20.1R1-S1, 20.1R2",
"status": "affected",
"version": "20.1",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "The examples of the config stanza affected by this issue:\n [system services web-management http]\n [system services web-management https]\n [security dynamic-vpn]"
}
],
"credits": [
{
"lang": "en",
"value": "The Juniper SIRT would like to would like to acknowledge and thank Laing Bian and Leishen Song (@rayh4c) of 360 ATA for reporting this issue."
}
],
"datePublic": "2020-04-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with \u0027world\u0027 readable permission file or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user \u0027nobody\u0027, the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with \u0027world\u0027 readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device\u003e show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns \"=*;*\u0026\" or \"*%3b*\u0026\" in /var/log/httpd.log, using the following command: user@device\u003e show log httpd.log | match \"=*;*\u0026|=*%3b*\u0026\" If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device\u003e show log httpd.log.0.gz | match \"=*;*\u0026|=*%3b*\u0026\" user@device\u003e show log httpd.log.1.gz | match \"=*;*\u0026|=*%3b*\u0026\" Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S16; 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105; 14.1X53 versions prior to 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S5, 19.1R3-S1; 19.1 version 19.1R2 and later versions; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-04T09:25:12.000Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kb.juniper.net/JSA11021"
}
],
"solutions": [
{
"lang": "en",
"value": "The following software releases have been updated to resolve this specific issue: 12.3R12-S16, 12.3X48-D101, 12.3X48-D105, 14.1X53-D54, 15.1X49-D211, 15.1X49-D220, 15.1R7-S7, 16.1R7-S8, 17.2R3-S4, 17.4R2-S11, 17.3R3-S8, 17.4R3-S2, 18.1R3-S10, 18.2R2-S7, 18.2R3-S4, 18.3R2-S4, 18.3R3-S2, 18.4R1-S7, 18.4R3-S2, 19.1R1-S5, 19.1R3-S1, 19.2R2, 19.3R2-S3, 19.3R3, 19.4R1-S2, 19.4R2, 20.1R1-S1, 20.1R2 and all subsequent releases.\n\nNote: At the time of this publication, the following fixed releases are available for customer download: 12.3X48-D101, 15.1X49-D211, 18.2R3-S4, 18.4R3-S2, and 20.1R1-S1, the remaining fixed releases will be available in future time.\n\n12.3X48-D101 \u0026 15.1X49-D211 releases can be downloaded from the below URLs:\n\n12.3X48-D101 :\nBranch SRX-Series Install Package (for SRX100H2, SRX110HE2, SRX210H2, SRX220H2, SRX240H2, SRX550, SRX650): junos-srxsme-12.3X48-D101-domestic.tgz \nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107438.html\n MD5 = b822376f7a385e74499b186cf28c122b\n SHA-1 = e6138e45bf9d29e962468e6e114e537142d4cc0d\n SHA-256 = b21a9ae9f5d0b0ec25180682193faba7bf54e836fda0eb78babd3df843f90e6a\n \nSRX 1000/3000-Series Install Package : junos-srx1k3k-12.3X48-D101-domestic.tgz\nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107436.html\n MD5 = b93229ea43f66b539f22ecc5a9be0f07\n SHA-1 = 2c625e9bc155b9fcb4c9a1a371bba473363ee6f0\n SHA-256 = 982434f9cde9492e1d80d14c43a7cdcc5261db15a11f65fa7c9881a0fc0cd3db\n \nSRX5000-Series Install Package: junos-srx5000-12.3X48-D101-domestic.tgz\nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107437.html\n MD5 = 7dc73801b7680fda42d453d6d3d6f10c\n SHA-1 = 05f1eda5ec112c7e2afeebea4d47c007e0a8bd60\n SHA-256 = 88d40e4b6b949a5c656c2b5fffa3adb41fe4943fb3e5d9cfaa439e603889e839\n \n15.1X49-D211:\nSRX300 \u0026 SRX500-Series Install Package: junos-srxsme-15.1X49-D211-domestic.tgz\nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107439.html\n MD5 = dfd3428c7f83eb11142bbe32bac2a151\n SHA-1 = a22f0ead795c8afb0a4d59d1b9b785c83801cd65\n SHA-256 = dc42e24db0e2af7b2e6aaafdaa61f8e658fabc91c8a888efad586a5fbd2fa29a\n \nSRX1500 Install Package: junos-srxentedge-15.1X49-D211-domestic.tgz \nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107442.html\n MD5 = 348f2fcd96b31d51b9d71147d09fabd8\n SHA-1 = cf8ee775ca1ca12706975fdd0748c1967732c2fe\n SHA-256 = 62d460ea531161936f0ac75fa4501bc6cadb700388bdb93b7e706a09e985eff5\n \nSRX4100 and SRX4200 Install Package: junos-srxmr-15.1X49-D211-domestic.tgz\nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107441.html\n MD5 = 55b4c96b05b5fd9595a8ee071dbbf438\n SHA-1 = ae6d7978964c3be6b632033b3616208e47653617\n SHA-256 = 20274c3b66d4b54471684a5f534abe0ba1d8bebabbb6f78f0028fcc275076df1\n \nSRX5000 Series Install Package: junos-srx5000-15.1X49-D211-domestic.tgz \nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107440.html\n MD5 = b918fa5a341815ccdb230560539e8725\n SHA-1 = 38e912a55f1407e18e1bb8305f854fcd97c1adcb\n SHA-256 = c1aaafdd9b23a525236c414e4cf213542246326317070b5e98ac5cccc5fa1e72\n \nvSRX Upgrade TGZ: junos-vsrx-15.1X49-D211-domestic.tgz\nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107452.html\n MD5 = 55b4c96b05b5fd9595a8ee071dbbf438\n SHA-1 = ae6d7978964c3be6b632033b3616208e47653617\n SHA-256 = 20274c3b66d4b54471684a5f534abe0ba1d8bebabbb6f78f0028fcc275076df1"
}
],
"source": {
"advisory": "JSA11021",
"defect": [
"1499280"
],
"discovery": "EXTERNAL"
},
"title": "Out of Cycle Security Advisory: Junos OS: Security vulnerability in J-Web and web based (HTTP/HTTPS) services",
"workarounds": [
{
"lang": "en",
"value": "There are no viable workarounds for this issue.\n\nIt is highly recommended to disable HTTP/HTTPS service and DVPN:\n user@device# deactivate system services web-management\n user@device# deactivate security dynamic-vpn (if DVPN is enabled)\n user@device# commit\nor allowing HTTP service only on from trusted hosts or networks (refer to https://kb.juniper.net/KB21265 for details on how to limite HTTP service)."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "sirt@juniper.net",
"DATE_PUBLIC": "2020-04-27T16:00:00.000Z",
"ID": "CVE-2020-1631",
"STATE": "PUBLIC",
"TITLE": "Out of Cycle Security Advisory: Junos OS: Security vulnerability in J-Web and web based (HTTP/HTTPS) services"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Junos OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "12.3",
"version_value": "12.3R12-S16"
},
{
"version_affected": "\u003c",
"version_name": "12.3X48",
"version_value": "12.3X48-D101, 12.3X48-D105"
},
{
"version_affected": "\u003c",
"version_name": "14.1X53",
"version_value": "14.1X53-D54"
},
{
"version_affected": "\u003c",
"version_name": "15.1",
"version_value": "15.1R7-S7"
},
{
"version_affected": "\u003c",
"version_name": "15.1X49",
"version_value": "15.1X49-D211, 15.1X49-D220"
},
{
"version_affected": "\u003c",
"version_name": "16.1",
"version_value": "16.1R7-S8"
},
{
"version_affected": "\u003c",
"version_name": "17.2",
"version_value": "17.2R3-S4"
},
{
"version_affected": "\u003c",
"version_name": "17.3",
"version_value": "17.3R3-S8"
},
{
"version_affected": "\u003c",
"version_name": "17.4",
"version_value": "17.4R2-S11, 17.4R3-S2"
},
{
"version_affected": "\u003c",
"version_name": "18.1",
"version_value": "18.1R3-S10"
},
{
"version_affected": "\u003c",
"version_name": "18.2",
"version_value": "18.2R2-S7, 18.2R3-S4"
},
{
"version_affected": "\u003c",
"version_name": "18.3",
"version_value": "18.3R2-S4, 18.3R3-S2"
},
{
"version_affected": "\u003c",
"version_name": "18.4",
"version_value": "18.4R1-S7, 18.4R3-S2"
},
{
"version_affected": "\u003e=",
"version_name": "18.4",
"version_value": "18.4R2"
},
{
"version_affected": "\u003c",
"version_name": "19.1",
"version_value": "19.1R1-S5, 19.1R3-S1"
},
{
"version_affected": "\u003e=",
"version_name": "19.1",
"version_value": "19.1R2"
},
{
"version_affected": "\u003c",
"version_name": "19.2",
"version_value": "19.2R2"
},
{
"version_affected": "\u003c",
"version_name": "19.3",
"version_value": "19.3R2-S3, 19.3R3"
},
{
"version_affected": "\u003c",
"version_name": "19.4",
"version_value": "19.4R1-S2, 19.4R2"
},
{
"version_affected": "\u003c",
"version_name": "20.1",
"version_value": "20.1R1-S1, 20.1R2"
}
]
}
}
]
},
"vendor_name": "Juniper Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "The examples of the config stanza affected by this issue:\n [system services web-management http]\n [system services web-management https]\n [security dynamic-vpn]"
}
],
"credit": [
{
"lang": "eng",
"value": "The Juniper SIRT would like to would like to acknowledge and thank Laing Bian and Leishen Song (@rayh4c) of 360 ATA for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with \u0027world\u0027 readable permission file or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user \u0027nobody\u0027, the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with \u0027world\u0027 readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device\u003e show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns \"=*;*\u0026\" or \"*%3b*\u0026\" in /var/log/httpd.log, using the following command: user@device\u003e show log httpd.log | match \"=*;*\u0026|=*%3b*\u0026\" If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device\u003e show log httpd.log.0.gz | match \"=*;*\u0026|=*%3b*\u0026\" user@device\u003e show log httpd.log.1.gz | match \"=*;*\u0026|=*%3b*\u0026\" Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S16; 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105; 14.1X53 versions prior to 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S5, 19.1R3-S1; 19.1 version 19.1R2 and later versions; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-73 External Control of File Name or Path"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.juniper.net/JSA11021",
"refsource": "CONFIRM",
"url": "https://kb.juniper.net/JSA11021"
}
]
},
"solution": [
{
"lang": "en",
"value": "The following software releases have been updated to resolve this specific issue: 12.3R12-S16, 12.3X48-D101, 12.3X48-D105, 14.1X53-D54, 15.1X49-D211, 15.1X49-D220, 15.1R7-S7, 16.1R7-S8, 17.2R3-S4, 17.4R2-S11, 17.3R3-S8, 17.4R3-S2, 18.1R3-S10, 18.2R2-S7, 18.2R3-S4, 18.3R2-S4, 18.3R3-S2, 18.4R1-S7, 18.4R3-S2, 19.1R1-S5, 19.1R3-S1, 19.2R2, 19.3R2-S3, 19.3R3, 19.4R1-S2, 19.4R2, 20.1R1-S1, 20.1R2 and all subsequent releases.\n\nNote: At the time of this publication, the following fixed releases are available for customer download: 12.3X48-D101, 15.1X49-D211, 18.2R3-S4, 18.4R3-S2, and 20.1R1-S1, the remaining fixed releases will be available in future time.\n\n12.3X48-D101 \u0026 15.1X49-D211 releases can be downloaded from the below URLs:\n\n12.3X48-D101 :\nBranch SRX-Series Install Package (for SRX100H2, SRX110HE2, SRX210H2, SRX220H2, SRX240H2, SRX550, SRX650): junos-srxsme-12.3X48-D101-domestic.tgz \nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107438.html\n MD5 = b822376f7a385e74499b186cf28c122b\n SHA-1 = e6138e45bf9d29e962468e6e114e537142d4cc0d\n SHA-256 = b21a9ae9f5d0b0ec25180682193faba7bf54e836fda0eb78babd3df843f90e6a\n \nSRX 1000/3000-Series Install Package : junos-srx1k3k-12.3X48-D101-domestic.tgz\nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107436.html\n MD5 = b93229ea43f66b539f22ecc5a9be0f07\n SHA-1 = 2c625e9bc155b9fcb4c9a1a371bba473363ee6f0\n SHA-256 = 982434f9cde9492e1d80d14c43a7cdcc5261db15a11f65fa7c9881a0fc0cd3db\n \nSRX5000-Series Install Package: junos-srx5000-12.3X48-D101-domestic.tgz\nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107437.html\n MD5 = 7dc73801b7680fda42d453d6d3d6f10c\n SHA-1 = 05f1eda5ec112c7e2afeebea4d47c007e0a8bd60\n SHA-256 = 88d40e4b6b949a5c656c2b5fffa3adb41fe4943fb3e5d9cfaa439e603889e839\n \n15.1X49-D211:\nSRX300 \u0026 SRX500-Series Install Package: junos-srxsme-15.1X49-D211-domestic.tgz\nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107439.html\n MD5 = dfd3428c7f83eb11142bbe32bac2a151\n SHA-1 = a22f0ead795c8afb0a4d59d1b9b785c83801cd65\n SHA-256 = dc42e24db0e2af7b2e6aaafdaa61f8e658fabc91c8a888efad586a5fbd2fa29a\n \nSRX1500 Install Package: junos-srxentedge-15.1X49-D211-domestic.tgz \nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107442.html\n MD5 = 348f2fcd96b31d51b9d71147d09fabd8\n SHA-1 = cf8ee775ca1ca12706975fdd0748c1967732c2fe\n SHA-256 = 62d460ea531161936f0ac75fa4501bc6cadb700388bdb93b7e706a09e985eff5\n \nSRX4100 and SRX4200 Install Package: junos-srxmr-15.1X49-D211-domestic.tgz\nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107441.html\n MD5 = 55b4c96b05b5fd9595a8ee071dbbf438\n SHA-1 = ae6d7978964c3be6b632033b3616208e47653617\n SHA-256 = 20274c3b66d4b54471684a5f534abe0ba1d8bebabbb6f78f0028fcc275076df1\n \nSRX5000 Series Install Package: junos-srx5000-15.1X49-D211-domestic.tgz \nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107440.html\n MD5 = b918fa5a341815ccdb230560539e8725\n SHA-1 = 38e912a55f1407e18e1bb8305f854fcd97c1adcb\n SHA-256 = c1aaafdd9b23a525236c414e4cf213542246326317070b5e98ac5cccc5fa1e72\n \nvSRX Upgrade TGZ: junos-vsrx-15.1X49-D211-domestic.tgz\nhttps://webdownload.juniper.net/swdl/dl/secure/site/1/record/107452.html\n MD5 = 55b4c96b05b5fd9595a8ee071dbbf438\n SHA-1 = ae6d7978964c3be6b632033b3616208e47653617\n SHA-256 = 20274c3b66d4b54471684a5f534abe0ba1d8bebabbb6f78f0028fcc275076df1"
}
],
"source": {
"advisory": "JSA11021",
"defect": [
"1499280"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "There are no viable workarounds for this issue.\n\nIt is highly recommended to disable HTTP/HTTPS service and DVPN:\n user@device# deactivate system services web-management\n user@device# deactivate security dynamic-vpn (if DVPN is enabled)\n user@device# commit\nor allowing HTTP service only on from trusted hosts or networks (refer to https://kb.juniper.net/KB21265 for details on how to limite HTTP service)."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2020-1631",
"datePublished": "2020-05-04T09:25:12.322Z",
"dateReserved": "2019-11-04T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:35:44.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7755 (GCVE-0-2015-7755)
Vulnerability from cvelistv5
Published
2015-12-19 11:00
Modified
2025-10-21 23:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:58:59.950Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/"
},
{
"name": "1034489",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034489"
},
{
"name": "VU#640184",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/640184"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hdm/juniper-cve-2015-7755"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10713"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://twitter.com/cryptoron/statuses/677900647560253442"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://adamcaudill.com/2015/12/17/much-ado-about-juniper/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.forbes.com/sites/thomasbrewster/2015/12/18/juniper-says-it-didnt-work-with-government-to-add-unauthorized-code-to-network-gear/"
},
{
"name": "79626",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/79626"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2015-7755",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T03:55:46.311110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-10-02",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-7755"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:55:56.610Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-7755"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-02T00:00:00+00:00",
"value": "CVE-2015-7755 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T16:48:24.593Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/"
},
{
"url": "http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/"
},
{
"name": "1034489",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1034489"
},
{
"name": "VU#640184",
"tags": [
"third-party-advisory"
],
"url": "http://www.kb.cert.org/vuls/id/640184"
},
{
"url": "https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554"
},
{
"url": "https://github.com/hdm/juniper-cve-2015-7755"
},
{
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10713"
},
{
"url": "http://twitter.com/cryptoron/statuses/677900647560253442"
},
{
"url": "https://adamcaudill.com/2015/12/17/much-ado-about-juniper/"
},
{
"url": "http://www.forbes.com/sites/thomasbrewster/2015/12/18/juniper-says-it-didnt-work-with-government-to-add-unauthorized-code-to-network-gear/"
},
{
"name": "79626",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/79626"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7755",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/",
"refsource": "MISC",
"url": "http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/"
},
{
"name": "http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/",
"refsource": "MISC",
"url": "http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/"
},
{
"name": "1034489",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034489"
},
{
"name": "VU#640184",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/640184"
},
{
"name": "https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554",
"refsource": "CONFIRM",
"url": "https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554"
},
{
"name": "https://github.com/hdm/juniper-cve-2015-7755",
"refsource": "MISC",
"url": "https://github.com/hdm/juniper-cve-2015-7755"
},
{
"name": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10713",
"refsource": "CONFIRM",
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10713"
},
{
"name": "http://twitter.com/cryptoron/statuses/677900647560253442",
"refsource": "MISC",
"url": "http://twitter.com/cryptoron/statuses/677900647560253442"
},
{
"name": "https://adamcaudill.com/2015/12/17/much-ado-about-juniper/",
"refsource": "MISC",
"url": "https://adamcaudill.com/2015/12/17/much-ado-about-juniper/"
},
{
"name": "http://www.forbes.com/sites/thomasbrewster/2015/12/18/juniper-says-it-didnt-work-with-government-to-add-unauthorized-code-to-network-gear/",
"refsource": "MISC",
"url": "http://www.forbes.com/sites/thomasbrewster/2015/12/18/juniper-says-it-didnt-work-with-government-to-add-unauthorized-code-to-network-gear/"
},
{
"name": "79626",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/79626"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7755",
"datePublished": "2015-12-19T11:00:00.000Z",
"dateReserved": "2015-10-08T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:55:56.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}