PT-2024-1427 · Juniper Networks · Junos

Published

2024-01-25

·

Updated

2024-02-08

·

CVE-2024-21619

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on SRX Series and EX Series versions earlier than 20.4R3-S9 Juniper Networks Junos OS on SRX Series and EX Series 21.2 versions earlier than 21.2R3-S7 Juniper Networks Junos OS on SRX Series and EX Series 21.3 versions earlier than 21.3R3-S5 Juniper Networks Junos OS on SRX Series and EX Series 21.4 versions earlier than 21.4R3-S6 Juniper Networks Junos OS on SRX Series and EX Series 22.1 versions earlier than 22.1R3-S5 Juniper Networks Junos OS on SRX Series and EX Series 22.2 versions earlier than 22.2R3-S3 Juniper Networks Junos OS on SRX Series and EX Series 22.3 versions earlier than 22.3R3-S2 Juniper Networks Junos OS on SRX Series and EX Series 22.4 versions earlier than 22.4R3 Juniper Networks Junos OS on SRX Series and EX Series 23.2 versions earlier than 23.2R1-S2, 23.2R2
Description A Missing Authentication for Critical Function vulnerability combined with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to access sensitive system information. When a user logs in, a temporary file which contains the configuration of the device is created in the /cache folder. An unauthenticated attacker can then attempt to access such a file by sending a specific request to the device trying to guess the name of such a file. Successful exploitation will reveal configuration information.
Recommendations For versions earlier than 20.4R3-S9, update to version 20.4R3-S9 or later. For 21.2 versions earlier than 21.2R3-S7, update to version 21.2R3-S7 or later. For 21.3 versions earlier than 21.3R3-S5, update to version 21.3R3-S5 or later. For 21.4 versions earlier than 21.4R3-S6, update to version 21.4R3-S6 or later. For 22.1 versions earlier than 22.1R3-S5, update to version 22.1R3-S5 or later. For 22.2 versions earlier than 22.2R3-S3, update to version 22.2R3-S3 or later. For 22.3 versions earlier than 22.3R3-S2, update to version 22.3R3-S2 or later. For 22.4 versions earlier than 22.4R3, update to version 22.4R3 or later. For 23.2 versions earlier than 23.2R1-S2, 23.2R2, update to version 23.2R1-S2, 23.2R2 or later. As a temporary workaround, consider restricting access to the /cache folder to minimize the risk of exploitation.

Fix

Missing Authentication

Generation of Error Message Containing Sensitive Information

Weakness Enumeration

CWE-306CWE-209

Related Identifiers

BDU:2024-00901
CVE-2024-21619

Affected Products

Junos