Page 29 of 327 results (0.005 seconds)

CVSS: 6.8EPSS: 0%CPEs: 16EXPL: 0

On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for some time, but immediately after boot, the entropy is very low. This issue only affects the QFX3500 and QFX3600 switches. No other Juniper Networks products or platforms are affected by this weak entropy vulnerability. En las plataformas QFX3500 y QFX3600, el número de bytes recopilados desde la fuente de entropía de RANDOM_INTERRUPT cuando los arranques del dispositivo son insuficientes, conllevando posiblemente a claves SSH débiles o duplicadas o a certificados SSL/TLS auto-firmados. • https://kb.juniper.net/JSA10678 • CWE-331: Insufficient Entropy •

CVSS: 6.5EPSS: 0%CPEs: 53EXPL: 0

Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensions option (which is disabled by default) is to provide similar functionality when the SRX secures the FTP/FTPS client. As the control channel is encrypted, the FTP ALG cannot inspect the port specific information and will open a wider TCP data channel (gate) from client IP to server IP on all destination TCP ports. In FTP/FTPS client environments to an enterprise network or the Internet, this is the desired behavior as it allows firewall policy to be written to FTP/FTPS servers on well-known control ports without using a policy with destination IP ANY and destination port ANY. • https://kb.juniper.net/JSA10706 • CWE-326: Inadequate Encryption Strength •

CVSS: 7.1EPSS: 0%CPEs: 49EXPL: 0

Multiple vulnerabilities exist in Juniper Junos J-Web error handling that may lead to cross site scripting (XSS) issues or crash the J-Web service (DoS). This affects Juniper Junos OS 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D20, 12.3 before 12.3R8, 12.3X48 before 12.3X48-D10, 13.1 before 13.1R5, 13.2 before 13.2R6, 13.3 before 13.3R4, 14.1 before 14.1R3, 14.1X53 before 14.1X53-D10, 14.2 before 14.2R1, and 15.1 before 15.1R1. Se presentan múltiples vulnerabilidades en el manejo de errores de Juniper Junos J-Web que pueden conllevar a problemas de tipo cross site scripting (XSS) o bloquear el servicio J-Web (DoS). Esto afecta a Juniper Junos OS versiones 12.1X44 anteriores a 12.1X44-D45, versiones 12.1X46 anteriores a 12.1X46-D30, versiones 12.1X47 anteriores a 12.1X47-D20, versiones 12.3 anteriores a 12.3R8, versiones 12.3X48 anteriores a 12.3X48-D10, versiones 13.1 anteriores a 13.1R5, versiones 13.2 anteriores a 13.2 R6, versiones 13.3 anteriores a 13.3R4, versiones 14.1 anteriores a 14.1R3, versiones 14.1X53 anteriores a 14.1X53-D10, versiones 14.2 anteriores a 14.2R1 y versiones 15.1 anteriores a 15.1R1. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10682 http://www.securitytracker.com/id/1032846 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0

Juniper Junos OS 13.2 before 13.2R5, 13.2X51, 13.2X52, and 13.3 before 13.3R3 allow local users to bypass intended restrictions and execute arbitrary Python code via vectors involving shell access. Juniper Junos OS versión 13.2 anteriores a 13.2R5, versiones 13.2X51, 13.2X52 y versión 13.3 anteriores a 13.3R3, permiten a usuarios locales omitir las restricciones previstas y ejecutar código de Python arbitrario por medio de vectores que involucran el acceso de shell. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10695 • CWE-269: Improper Privilege Management •

CVSS: 7.5EPSS: 0%CPEs: 278EXPL: 0

Insufficient Cross-Site Scripting (XSS) protection in J-Web may potentially allow a remote attacker to inject web script or HTML, hijack the target user's J-Web session and perform administrative actions on the Junos device as the targeted user. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S15; 12.3X48 versions prior to 12.3X48-D86, 12.3X48-D90 on SRX Series; 14.1X53 versions prior to 14.1X53-D51 on EX and QFX Series; 15.1F6 versions prior to 15.1F6-S13; 15.1 versions prior to 15.1R7-S5; 15.1X49 versions prior to 15.1X49-D181, 15.1X49-D190 on SRX Series; 15.1X53 versions prior to 15.1X53-D238 on QFX5200/QFX5110 Series; 15.1X53 versions prior to 15.1X53-D592 on EX2300/EX3400 Series; 16.1 versions prior to 16.1R4-S13, 16.1R7-S5; 16.2 versions prior to 16.2R2-S10; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R1-S9, 17.2R3-S2; 17.3 versions prior to 17.3R2-S5, 17.3R3-S5; 17.4 versions prior to 17.4R2-S6, 17.4R3; 18.1 versions prior to 18.1R3-S7; 18.2 versions prior to 18.2R2-S5, 18.2R3; 18.3 versions prior to 18.3R1-S6, 18.3R2-S1, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R2; 19.1 versions prior to 19.1R1-S2, 19.1R2. Una protección insuficiente contra ataques de tipo Cross-Site Scripting (XSS) en J-Web puede permitir potencialmente a un atacante remoto inyectar script web o HTML, secuestrar la sesión J-Web del usuario objetivo y llevar a cabo acciones administrativas en el dispositivo Junos como el usuario objetivo. Este problema afecta a las versiones de Juniper Networks Junos OS 12.3 anteriores a 12.3R12-S15; versiones 12.3X48 anteriores a 12.3X48-D86, 12.3X48-D90 en SRX Series; versiones 14.1X53 anteriores a 14.1X53-D51 en EX y QFX Series; versiones 15.1F6 anteriores a 15.1F6-S13; versiones 15.1 anteriores a 15.1R7-S5; versiones 15.1X49 anteriores a 15.1X49-D181, 15.1X49-D190 en SRX Series; versiones 15.1X53 anteriores a 15.1X53-D238 en QFX5200/QFX5110 Series; versiones 15.1X53 anteriores a 15.1X53-D592 en EX2300/EX3400 Series; versiones 16.1 anteriores a 16.1R4-S13, 16.1R7-S5; versiones 16.2 anteriores a 16.2R2-S10; versiones 17.1 anteriores a 17.1R2-S11, 17.1R3-S1; versiones 17.2 anteriores a 17.2R1-S9, 17.2R3-S2; versiones 17.3 anteriores a 17.3R2-S5, 17.3R3-S5; versiones 17.4 anteriores a 17.4R2-S6, 17.4R3; versiones 18.1 anteriores a 18.1R3-S7; versiones 18.2 anteriores a 18.2R2-S5, 18.2R3; versiones 18.3 anteriores a 18.3R1-S6, 18.3R2-S1, 18.3R3; versiones 18.4 anteriores a 18.4R1-S5, 18.4R2; versiones 19.1 anteriores a 19.1R1-S2, 19.1R2. • https://kb.juniper.net/JSA10986 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •