cnvd - cnvd-2018-21611

cnvd-2018-21611

Vulnerability from cnvd

Title: OpenNMS跨站脚本漏洞（CNVD-2018-21611）

Description:

Juniper Junos Space是美国瞻博网络（Juniper Networks）公司的一套网络管理解决方案。该方案支持在设备和服务的整个生命周期内对其进行自动配置、监控和故障排除。OpenNMS是其中的一套网络管理系统。

Juniper Junos Space 18.2R1之前版本中的OpenNMS存在跨站脚本漏洞。远程攻击者可利用该漏洞窃取敏感信息/会话凭证或执行管理操作。

Severity: 中

Patch Name: OpenNMS跨站脚本漏洞（CNVD-2018-21611）的补丁

Patch Description:

Juniper Junos Space 18.2R1之前版本中的OpenNMS存在跨站脚本漏洞。远程攻击者可利用该漏洞窃取敏感信息/会话凭证或执行管理操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/OpenNMS/opennms/commit/8710463077c10034fcfa06556a98fb1a1a64fd0d

Reference: https://www.securityfocus.com/bid/105566

Impacted products

Name
Juniper Networks Junos Space <18.2R1

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "105566"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-0046",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0046"
    }
  },
  "description": "Juniper Junos Space\u662f\u7f8e\u56fd\u77bb\u535a\u7f51\u7edc\uff08Juniper Networks\uff09\u516c\u53f8\u7684\u4e00\u5957\u7f51\u7edc\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u65b9\u6848\u652f\u6301\u5728\u8bbe\u5907\u548c\u670d\u52a1\u7684\u6574\u4e2a\u751f\u547d\u5468\u671f\u5185\u5bf9\u5176\u8fdb\u884c\u81ea\u52a8\u914d\u7f6e\u3001\u76d1\u63a7\u548c\u6545\u969c\u6392\u9664\u3002OpenNMS\u662f\u5176\u4e2d\u7684\u4e00\u5957\u7f51\u7edc\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nJuniper Junos Space 18.2R1\u4e4b\u524d\u7248\u672c\u4e2d\u7684OpenNMS\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7a83\u53d6\u654f\u611f\u4fe1\u606f/\u4f1a\u8bdd\u51ed\u8bc1\u6216\u6267\u884c\u7ba1\u7406\u64cd\u4f5c\u3002",
  "discovererName": "Marcel Bilal",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/OpenNMS/opennms/commit/8710463077c10034fcfa06556a98fb1a1a64fd0d",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-21611",
  "openTime": "2018-10-24",
  "patchDescription": "Juniper Junos Space\u662f\u7f8e\u56fd\u77bb\u535a\u7f51\u7edc\uff08Juniper Networks\uff09\u516c\u53f8\u7684\u4e00\u5957\u7f51\u7edc\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u65b9\u6848\u652f\u6301\u5728\u8bbe\u5907\u548c\u670d\u52a1\u7684\u6574\u4e2a\u751f\u547d\u5468\u671f\u5185\u5bf9\u5176\u8fdb\u884c\u81ea\u52a8\u914d\u7f6e\u3001\u76d1\u63a7\u548c\u6545\u969c\u6392\u9664\u3002OpenNMS\u662f\u5176\u4e2d\u7684\u4e00\u5957\u7f51\u7edc\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nJuniper Junos Space 18.2R1\u4e4b\u524d\u7248\u672c\u4e2d\u7684OpenNMS\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7a83\u53d6\u654f\u611f\u4fe1\u606f/\u4f1a\u8bdd\u51ed\u8bc1\u6216\u6267\u884c\u7ba1\u7406\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "OpenNMS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2018-21611\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Juniper Networks Junos Space \u003c18.2R1"
  },
  "referenceLink": "https://www.securityfocus.com/bid/105566",
  "serverity": "\u4e2d",
  "submitTime": "2018-10-19",
  "title": "OpenNMS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2018-21611\uff09"
}

CVE-2018-0046 (GCVE-0-2018-0046)

Vulnerability from cvelistv5

Published

2018-10-10 18:00

Modified

2024-09-17 03:13

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

Reflected cross-site scripting vulnerability

Summary

A reflected cross-site scripting vulnerability in OpenNMS included with Juniper Networks Junos Space may allow the stealing of sensitive information or session credentials from Junos Space administrators or perform administrative actions. This issue affects Juniper Networks Junos Space versions prior to 18.2R1.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/105566	vdb-entry, x_refsource_BID
	https://kb.juniper.net/JSA10880	x_refsource_CONFIRM
	https://github.com/OpenNMS/opennms/commit/8710463077c10034fcfa06556a98fb1a1a64fd0d	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1041862	vdb-entry, x_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	Juniper Networks	Junos Space	Version: unspecified < 18.2R1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:14:16.635Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "105566",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105566"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kb.juniper.net/JSA10880"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/OpenNMS/opennms/commit/8710463077c10034fcfa06556a98fb1a1a64fd0d"
          },
          {
            "name": "1041862",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041862"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Junos Space",
          "vendor": "Juniper Networks",
          "versions": [
            {
              "lessThan": "18.2R1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Marcel Bilal of IT-Dienstleistungszentrum Berlin"
        }
      ],
      "datePublic": "2018-10-10T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A reflected cross-site scripting vulnerability in OpenNMS included with Juniper Networks Junos Space may allow the stealing of sensitive information or session credentials from Junos Space administrators or perform administrative actions. This issue affects Juniper Networks Junos Space versions prior to 18.2R1."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Reflected cross-site scripting vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-17T09:57:01",
        "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
        "shortName": "juniper"
      },
      "references": [
        {
          "name": "105566",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/105566"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kb.juniper.net/JSA10880"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/OpenNMS/opennms/commit/8710463077c10034fcfa06556a98fb1a1a64fd0d"
        },
        {
          "name": "1041862",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041862"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "The following software releases have been updated to resolve this specific issue: Junos Space 18.2R1, and all subsequent releases."
        }
      ],
      "source": {
        "advisory": "JSA10880",
        "defect": [
          "1337619"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Junos Space: Reflected Cross-site Scripting vulnerability in OpenNMS",
      "workarounds": [
        {
          "lang": "en",
          "value": "There are no viable workarounds for this issue."
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@juniper.net",
          "DATE_PUBLIC": "2018-10-10T16:00:00.000Z",
          "ID": "CVE-2018-0046",
          "STATE": "PUBLIC",
          "TITLE": "Junos Space: Reflected Cross-site Scripting vulnerability in OpenNMS"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Junos Space",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_value": "18.2R1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Juniper Networks"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Marcel Bilal of IT-Dienstleistungszentrum Berlin"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A reflected cross-site scripting vulnerability in OpenNMS included with Juniper Networks Junos Space may allow the stealing of sensitive information or session credentials from Junos Space administrators or perform administrative actions. This issue affects Juniper Networks Junos Space versions prior to 18.2R1."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
          }
        ],
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Reflected cross-site scripting vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "105566",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/105566"
            },
            {
              "name": "https://kb.juniper.net/JSA10880",
              "refsource": "CONFIRM",
              "url": "https://kb.juniper.net/JSA10880"
            },
            {
              "name": "https://github.com/OpenNMS/opennms/commit/8710463077c10034fcfa06556a98fb1a1a64fd0d",
              "refsource": "CONFIRM",
              "url": "https://github.com/OpenNMS/opennms/commit/8710463077c10034fcfa06556a98fb1a1a64fd0d"
            },
            {
              "name": "1041862",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041862"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "The following software releases have been updated to resolve this specific issue: Junos Space 18.2R1, and all subsequent releases."
          }
        ],
        "source": {
          "advisory": "JSA10880",
          "defect": [
            "1337619"
          ],
          "discovery": "EXTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "There are no viable workarounds for this issue."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
    "assignerShortName": "juniper",
    "cveId": "CVE-2018-0046",
    "datePublished": "2018-10-10T18:00:00Z",
    "dateReserved": "2017-11-16T00:00:00",
    "dateUpdated": "2024-09-17T03:13:58.773Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted