CVSS: 7.5EPSS: 1%CPEs: 75EXPL: 0CVE-2019-0001 – Junos OS: MX Series: uncontrolled recursion and crash in Broadband Edge subscriber management daemon (bbe-smgd).
https://notcve.org/view.php?id=CVE-2019-0001
Receipt of a malformed packet on MX Series devices with dynamic vlan configuration can trigger an uncontrolled recursion loop in the Broadband Edge subscriber management daemon (bbe-smgd), and lead to high CPU usage and a crash of the bbe-smgd service. Repeated receipt of the same packet can result in an extended denial of service condition for the device. Affected releases are Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S1; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3-S1; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2. La recepción de un paquete mal formado en dispositivos MX Series con una configuración vlan dinámica puede desencadenar un bucle de recursión no controlado en el demonio de gestión de suscriptores Broadband Edge (bbe-smgd) y conducir a un alto uso de CPU y el cierre inesperado del servicio bbe-smgd. La recepción repetida del mismo paquete puede resultar en una condición de denegación de servicio (DoS) extendida para los dispositivos. • http://www.securityfocus.com/bid/106541 https://kb.juniper.net/JSA10900 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMKFSHPMOZL7MDWU5RYOTIBTRWSZ4Z6X https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7CPKBW4QZ4VIY4UXIUVUSHRJ4R2FROE • CWE-674: Uncontrolled Recursion •
CVSS: 9.8EPSS: 3%CPEs: 86EXPL: 0CVE-2019-0006 – Junos OS: EX, QFX and MX series: Packet Forwarding Engine manager (FXPC) process crashes due to a crafted HTTP packet in a Virtual Chassis configuration
https://notcve.org/view.php?id=CVE-2019-0006
A certain crafted HTTP packet can trigger an uninitialized function pointer deference vulnerability in the Packet Forwarding Engine manager (fxpc) on all EX, QFX and MX Series devices in a Virtual Chassis configuration. This issue can result in a crash of the fxpc daemon or may potentially lead to remote code execution. This issue only occurs when the crafted packet it destined to the device. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D47 on EX and QFX Virtual Chassis Platforms; 15.1 versions prior to 15.1R7-S3 all Virtual Chassis Platforms 15.1X53 versions prior to 15.1X53-D50 on EX and QFX Virtual Chassis Platforms. Cierto paquete HTTP manipulado puede desencadenar una vulnerabilidad de desreferencia de puntero de función no inicializada en el gestor Packet Forwarding Engine (fxpc) en todos los dispositivos de las series EX, QFX y MX en una configuración de Virtual Chassis. • http://www.securityfocus.com/bid/106666 https://kb.juniper.net/JSA10906 • CWE-908: Use of Uninitialized Resource •
CVSS: 8.8EPSS: 0%CPEs: 23EXPL: 0CVE-2019-0017 – Junos Space: Unrestricted file upload vulnerability
https://notcve.org/view.php?id=CVE-2019-0017
The Junos Space application, which allows Device Image files to be uploaded, has insufficient validity checking which may allow uploading of malicious images or scripts, or other content types. Affected releases are Juniper Networks Junos Space versions prior to 18.3R1. La aplicación de Junos Space, que permite que los archivos Device Image se suban, tiene una comprobación de validez insuficiente, lo que podría permitir la subida de imágenes o scripts, así como otros tipos de contenido. Las distribuciones afectadas son: Junos Space en todas sus versiones anteriores a la 18.3R1. • https://kb.juniper.net/JSA10917 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-0004 – Juniper ATP: API and device keys are logged in a world-readable permissions file
https://notcve.org/view.php?id=CVE-2019-0004
On Juniper ATP, the API key and the device key are logged in a file readable by authenticated local users. These keys are used for performing critical operations on the WebUI interface. This issue affects Juniper ATP 5.0 versions prior to 5.0.3. En Juniper ATP, la clave API y la clave del dispositivo están registradas en un archivo legible por usuarios autenticados locales. Estas claves se emplean para realizar operaciones críticas en la interfaz WebUI. • https://kb.juniper.net/JSA10918 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2019-0023 – Juniper ATP: Persistent Cross-Site Scripting vulnerability in the Golden VM menu
https://notcve.org/view.php?id=CVE-2019-0023
A persistent cross-site scripting (XSS) vulnerability in the Golden VM menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3. Una vulnerabilidad de Cross-Site Scripting persistente en el menú de Golden VM de Juniper ATP podría permitir que un usuario autenticado inyecte scripts arbitrarios y robe datos sensibles y credenciales de una sesión de administración web, engañando posiblemente a un usuario administrativo posterior para que realice acciones de administrador en el dispositivo. Este problema afecta a Juniper ATP en versiones 5.0 anteriores a la 5.0.3. • https://kb.juniper.net/JSA10918 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •