A Missing Authentication for Critical Function vulnerability combined with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to access sensitive system information.
When a user logs in, a temporary file which contains the configuration of the device (as visible to that user) is created in the /cache folder. An unauthenticated attacker can then attempt to access such a file by sending a specific request to the device trying to guess the name of such a file. Successful exploitation will reveal configuration information.
This issue affects Juniper Networks Junos OS on SRX Series and EX Series:
* All versions earlier than 20.4R3-S9;
* 21.2 versions earlier than 21.2R3-S7;
* 21.3 versions earlier than 21.3R3-S5;
* 21.4 versions earlier than 21.4R3-S6;
* 22.1 versions earlier than 22.1R3-S5;
* 22.2 versions earlier than 22.2R3-S3;
* 22.3 versions earlier than 22.3R3-S2;
* 22.4 versions earlier than 22.4R3;
* 23.2 versions earlier than 23.2R1-S2, 23.2R2.
Metrics
No CVSS v4.0
Attack Vector Network
Attack Complexity High
Privileges Required None
Scope Unchanged
Confidentiality Impact High
Integrity Impact None
Availability Impact None
User Interaction Required
No CVSS v3.0
No CVSS v2
This CVE is not in the KEV list.
Key SSVC decision points have not yet been added.
Affected Vendors & Products
Vendors | Products |
---|---|
Juniper |
|
Configuration 1 [-]
AND |
|
No data.
References
Link | Providers |
---|---|
https://supportportal.juniper.net/JSA76390 |
History
No history.
MITRE
Status: PUBLISHED
Assigner: juniper
Published: 2024-01-25T22:48:16.839Z
Updated: 2024-08-01T22:27:35.795Z
Reserved: 2023-12-27T19:38:25.710Z
Link: CVE-2024-21619
Vulnrichment
No data.
NVD
Status : Modified
Published: 2024-01-25T23:15:09.467
Modified: 2024-11-21T08:54:44.270
Link: CVE-2024-21619
Redhat
No data.