An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target device.
While an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user's credentials. In the worst case, the attacker will have full control over the device.
This issue affects Junos OS:
* All versions before 21.2R3-S8,
* from 21.4 before 21.4R3-S7,
* from 22.2 before 22.2R3-S4,
* from 22.3 before 22.3R3-S3,
* from 22.4 before 22.4R3-S2,
* from 23.2 before 23.2R2,
* from 23.4 before 23.4R1-S1, 23.4R2.
CVSS Score
8.8
EPSS Score
0.006
Published
2024-07-10
A Stack-Based Buffer Overflow vulnerability in Juniper Networks Junos OS and Juniper Networks Junos OS Evolved may allow a local, low-privileged attacker with access to the CLI the ability to load a malicious certificate file, leading to a limited Denial of Service (DoS) or privileged code execution.
By exploiting the 'set security certificates' command with a crafted certificate file, a malicious attacker with access to the CLI could cause a crash of the command management daemon (mgd), limited to the local user's command interpreter, or potentially trigger a stack-based buffer overflow.
This issue affects:
Junos OS:
* All versions before 21.4R3-S7,
* from 22.1 before 22.1R3-S6,
* from 22.2 before 22.2R3-S4,
* from 22.3 before 22.3R3-S3,
* from 22.4 before 22.4R3-S2,
* from 23.2 before 23.2R2,
* from 23.4 before 23.4R1-S1, 23.4R2;
Junos OS Evolved:
* All versions before 21.4R3-S7-EVO,
* from 22.1-EVO before 22.1R3-S6-EVO,
* from 22.2-EVO before 22.2R3-S4-EVO,
* from 22.3-EVO before 22.3R3-S3-EVO,
* from 22.4-EVO before 22.4R3-S2-EVO,
* from 23.2-EVO before 23.2R2-EVO,
* from 23.4-EVO before 23.4R1-S1-EVO, 23.4R2-EVO.
CVSS Score
6.4
EPSS Score
0.001
Published
2024-07-10
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Layer 2 Address Learning Daemon (l2ald) on Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause Denial of Service (DoS).
In an EVPN/VXLAN scenario, when a high amount specific Layer 2 packets are processed by the device, it can cause the Routing Protocol Daemon (rpd) to utilize all CPU resources which causes the device to hang. A manual restart of the rpd is required to restore services.
This issue affects both IPv4 and IPv6 implementations.
This issue affects
Junos OS:
All versions earlier than 21.4R3-S7;
22.1 versions earlier than 22.1R3-S5;
22.2 versions earlier than 22.2R3-S3;
22.3 versions earlier than 22.3R3-S3;
22.4 versions earlier than 22.4R3-S2;
23.2 versions earlier than 23.2R2;
23.4 versions earlier than 23.4R1-S1.
Junos OS Evolved:
All versions earlier than 21.4R3-S7-EVO;
22.1-EVO versions earlier than 22.1R3-S5-EVO;
22.2-EVO versions earlier than 22.2R3-S3-EVO;
22.3-EVO versions earlier than 22.3R3-S3-EVO;
22.4-EVO versions earlier than 22.4R3-S2-EVO;
23.2-EVO versions earlier than 23.2R2-EVO;
23.4-EVO versions earlier than 23.4R1-S1-EVO, 23.4R2-EVO.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-07-10
A Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability the
Routing Protocol Daemon (rpd)
of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to inject incremental routing updates when BGP multipath is enabled, causing rpd to crash and restart, resulting in a Denial of Service (DoS). Since this is a timing issue (race condition), the successful exploitation of this vulnerability is outside the attacker's control. However, continued receipt and processing of this packet may create a sustained Denial of Service (DoS) condition.
On all Junos OS and Junos OS Evolved platforms with BGP multipath enabled, a specific multipath calculation removes the original next hop from the multipath lead routes nexthop-set. When this change happens, multipath relies on certain internal timing to record the update. Under certain circumstance and with specific timing, this could result in an rpd crash.
This issue only affects systems with BGP multipath enabled.
This issue affects:
Junos OS:
* All versions of 21.1
* from 21.2 before 21.2R3-S7,
* from 21.4 before 21.4R3-S6,
* from 22.1 before 22.1R3-S5,
* from 22.2 before 22.2R3-S3,
* from 22.3 before 22.3R3-S2,
* from 22.4 before 22.4R3,
* from 23.2 before 23.2R2.
Junos OS Evolved:
* All versions of 21.1-EVO,
* All versions of 21.2-EVO,
* from 21.4-EVO before 21.4R3-S6-EVO,
* from 22.1-EVO before 22.1R3-S5-EVO,
* from 22.2-EVO before 22.2R3-S3-EVO,
* from 22.3-EVO before 22.3R3-S2-EVO,
* from 22.4-EVO before 22.4R3-EVO,
* from 23.2-EVO before 23.2R2-EVO.
Versions of Junos OS before 21.1R1 are unaffected by this vulnerability.
Versions of Junos OS Evolved before 21.1R1-EVO are unaffected by this vulnerability.
CVSS Score
5.9
EPSS Score
0.004
Published
2024-07-10
An Improper Handling of Exceptional Conditions vulnerability in the Routing Protocol Daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved allows an attacker sending a specific malformed BGP update message to cause the session to reset, resulting in a Denial of Service (DoS). Continued receipt and processing of these malformed BGP update messages will create a sustained Denial of Service (DoS) condition.
Upon receipt of a BGP update message over an established BGP session containing a specifically malformed tunnel encapsulation attribute, when segment routing is enabled, internal processing of the malformed attributes within the update results in improper parsing of remaining attributes, leading to session reset:
BGP SEND Notification code 3 (Update Message Error) subcode 1 (invalid attribute list)
Only systems with segment routing enabled are vulnerable to this issue.
This issue affects eBGP and iBGP, in both IPv4 and IPv6 implementations, and requires a remote attacker to have at least one established BGP session.
This issue affects:
Junos OS:
* All versions before 21.4R3-S8,
* from 22.2 before 22.2R3-S4,
* from 22.3 before 22.3R3-S3,
* from 22.4 before 22.4R3-S3,
* from 23.2 before 23.2R2-S1,
* from 23.4 before 23.4R1-S2, 23.4R2.
Junos OS Evolved:
* All versions before 21.4R3-S8-EVO,
* from 22.2-EVO before 22.2R3-S4-EVO,
* from 22.3-EVO before 22.3R3-S3-EVO,
* from 22.4-EVO before 22.4R3-S3-EVO,
* from 23.2-EVO before 23.2R2-S1-EVO,
* from 23.4-EVO before 23.4R1-S2-EVO, 23.4R2-EVO.
CVSS Score
7.5
EPSS Score
0.016
Published
2024-07-10
A Use After Free vulnerability in command processing of Juniper Networks Junos OS on MX Series allows a local, authenticated attacker to cause the broadband edge service manager daemon (bbe-smgd) to crash upon execution of specific CLI commands, creating a Denial of Service (DoS) condition. The process crashes and restarts automatically.
When specific CLI commands are executed, the bbe-smgd daemon attempts to write into an area of memory (mgd socket) that was already closed, causing the process to crash. This process manages and controls the configuration of broadband subscriber sessions and services. While the process is unavailable, additional subscribers will not be able to connect to the device, causing a temporary Denial of Service condition.
This issue only occurs if Graceful Routing Engine Switchover (GRES) and Subscriber Management are enabled.
This issue affects Junos OS:
* All versions before 20.4R3-S5,
* from 21.1 before 21.1R3-S4,
* from 21.2 before 21.2R3-S3,
* from 21.3 before 21.3R3-S5,
* from 21.4 before 21.4R3-S5,
* from 22.1 before 22.1R3,
* from 22.2 before 22.2R3,
* from 22.3 before 22.3R2;
CVSS Score
5.5
EPSS Score
0.001
Published
2024-04-16
A Stack-based Buffer Overflow vulnerability in Flow Processing Daemon (flowd) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause Denial of Service (DoS).
On all Junos OS MX Series platforms with SPC3 and MS-MPC/-MIC, when URL filtering is enabled and a specific URL request is received and processed, flowd will crash and restart. Continuous reception of the specific URL request will lead to a sustained Denial of Service (DoS) condition.
This issue affects:
Junos OS:
* all versions before 21.2R3-S6,
* from 21.3 before 21.3R3-S5,
* from 21.4 before 21.4R3-S5,
* from 22.1 before 22.1R3-S3,
* from 22.2 before 22.2R3-S1,
* from 22.3 before 22.3R2-S2, 22.3R3,
* from 22.4 before 22.4R2-S1, 22.4R3.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-04-12
A Missing Authentication for Critical Function vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an unauthenticated network-based attacker to cause limited impact to the integrity or availability of the device.
If a device is configured with IPsec authentication algorithm hmac-sha-384 or hmac-sha-512, tunnels are established normally but for traffic traversing the tunnel no authentication information is sent with the encrypted data on egress, and no authentication information is expected on ingress. So if the peer is an unaffected device transit traffic is going to fail in both directions. If the peer is an also affected device transit traffic works, but without authentication, and configuration and CLI operational commands indicate authentication is performed.
This issue affects Junos OS:
* All versions before 20.4R3-S7,
* 21.1 versions before 21.1R3,
* 21.2 versions before 21.2R2-S1, 21.2R3,
* 21.3 versions before 21.3R1-S2, 21.3R2.
CVSS Score
4.8
EPSS Score
0.001
Published
2024-04-12
An Incorrect Calculation of Buffer Size vulnerability in Juniper Networks Junos OS SRX 5000 Series devices using SPC2 line cards while ALGs are enabled allows an attacker sending specific crafted packets to cause a transit traffic Denial of Service (DoS).
Continued receipt and processing of these specific packets will sustain the Denial of Service condition.
This issue affects:
Juniper Networks Junos OS SRX 5000 Series with SPC2 with ALGs enabled.
* All versions earlier than 21.2R3-S7;
* 21.4 versions earlier than 21.4R3-S6;
* 22.1 versions earlier than 22.1R3-S5;
* 22.2 versions earlier than 22.2R3-S3;
* 22.3 versions earlier than 22.3R3-S2;
* 22.4 versions earlier than 22.4R3;
* 23.2 versions earlier than 23.2R2.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-04-12
An Incorrect Default Permissions vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to access confidential information on the system.
On all Junos OS and Junos OS Evolved platforms, when NETCONF traceoptions are configured, and a super-user performs specific actions via NETCONF, then a low-privileged user can access sensitive information compromising the confidentiality of the system.
This issue affects:
Junos OS:
* all versions before 21.2R3-S7,
* from 21.4 before 21.4R3-S5,
* from 22.1 before 22.1R3-S5,
* from 22.2 before 22.2R3-S3,
* from 22.3 before 22.3R3-S2,
* from 22.4 before 22.4R3,
* from 23.2 before 23.2R1-S2.
Junos OS Evolved:
* all versions before 21.2R3-S7-EVO,
* from 21.3 before 21.3R3-S5-EVO,
* from 21.4 before 21.4R3-S5-EVO,
* from 22.1 before 22.1R3-S5-EVO,
* from 22.2 before 22.2R3-S3-EVO,
* from 22.3 before 22.3R3-S2-EVO,
* from 22.4 before 22.4R3-EVO,
* from 23.2 before 23.2R1-S2.
CVSS Score
5.0
EPSS Score
0.0
Published
2024-04-12