PT-2024-1307 · Juniper Networks · Junos

Published

2024-01-25

·

Updated

2024-02-08

·

CVE-2024-21620

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on SRX Series and EX Series versions earlier than 20.4R3-S10 Juniper Networks Junos OS on SRX Series and EX Series 21.2 versions earlier than 21.2R3-S8 Juniper Networks Junos OS on SRX Series and EX Series 21.4 versions earlier than 21.4R3-S6 Juniper Networks Junos OS on SRX Series and EX Series 22.1 versions earlier than 22.1R3-S5 Juniper Networks Junos OS on SRX Series and EX Series 22.2 versions earlier than 22.2R3-S3 Juniper Networks Junos OS on SRX Series and EX Series 22.3 versions earlier than 22.3R3-S2 Juniper Networks Junos OS on SRX Series and EX Series 22.4 versions earlier than 22.4R3-S1 Juniper Networks Junos OS on SRX Series and EX Series 23.2 versions earlier than 23.2R2 Juniper Networks Junos OS on SRX Series and EX Series 23.4 versions earlier than 23.4R2
Description The issue is related to an Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, in J-Web of Juniper Networks Junos OS on SRX Series and EX Series. This allows an attacker to construct a URL that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator. A specific invocation of the emit debug note method in webauth operation.php will echo back the data it receives.
Recommendations For versions earlier than 20.4R3-S10, update to version 20.4R3-S10 or later. For 21.2 versions earlier than 21.2R3-S8, update to version 21.2R3-S8 or later. For 21.4 versions earlier than 21.4R3-S6, update to version 21.4R3-S6 or later. For 22.1 versions earlier than 22.1R3-S5, update to version 22.1R3-S5 or later. For 22.2 versions earlier than 22.2R3-S3, update to version 22.2R3-S3 or later. For 22.3 versions earlier than 22.3R3-S2, update to version 22.3R3-S2 or later. For 22.4 versions earlier than 22.4R3-S1, update to version 22.4R3-S1 or later. For 23.2 versions earlier than 23.2R2, update to version 23.2R2 or later. For 23.4 versions earlier than 23.4R2, update to version 23.4R2 or later. As a temporary workaround, consider disabling the emit debug note method in webauth operation.php until a patch is available.

Fix

XSS

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2024-00758
CVE-2024-21620

Affected Products

Junos