CVSS: 10.0EPSS: 83%CPEs: 361EXPL: 0CVE-2020-10188 – telnet-server: no bounds checks in nextitem() function allows to remotely execute arbitrary code
https://notcve.org/view.php?id=CVE-2020-10188
utility.c in telnetd in netkit telnet through 0.17 allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions. El archivo utility.c en telnetd en netkit telnet versiones hasta 0.17, permite a atacantes remotos ejecutar código arbitrario por medio de escrituras cortas o datos urgentes, debido a un desbordamiento del búfer que involucra a las funciones netclear y nextitem. A vulnerability was found where incorrect bounds checks in the telnet server’s (telnetd) handling of short writes and urgent data, could lead to information disclosure and corruption of heap data. An unauthenticated remote attacker could exploit these bugs by sending specially crafted telnet packets to achieve arbitrary code execution in the telnet server. • https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html https://github.com/krb5/krb5-appl/blob/d00cd671dfe945791b33d4f1f6a5c57ae1667ef8/telnet/telnetd/utility.c#L205-L216 https://lists.debian.org/debian-lts-announce/2020/05/msg00012.html https://lists.debian.org/debian-lts-announce/2020/08/msg00038.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7FMTRRQTYKWZD2GMXX3GLZV46OLPCLVK https://lists.fedoraproject.org/archives/list/package-announce%40l • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 145EXPL: 0CVE-2020-1609 – Junos OS and Junos OS Evolved: A vulnerability in JDHCPD allows an attacker to send crafted IPv6 packets and arbitrarily execute commands on the target device.
https://notcve.org/view.php?id=CVE-2020-1609
When a device using Juniper Network's Dynamic Host Configuration Protocol Daemon (JDHCPD) process on Junos OS or Junos OS Evolved which is configured in relay mode it vulnerable to an attacker sending crafted IPv6 packets who may then arbitrarily execute commands as root on the target device. This issue affects IPv6 JDHCPD services. This issue affects: Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S6; 15.1X49 versions prior to 15.1X49-D200; 15.1X53 versions prior to 15.1X53-D592; 16.1 versions prior to 16.1R7-S6; 16.2 versions prior to 16.2R2-S11; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R2-S8, 17.2R3-S3; 17.3 versions prior to 17.3R3-S6; 17.4 versions prior to 17.4R2-S7, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R3-S2; 18.2X75 versions prior to 18.2X75-D60; 18.3 versions prior to 18.3R1-S6, 18.3R2-S2, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3; 19.1 versions prior to 19.1R1-S3, 19.1R2; 19.2 versions prior to 19.2R1-S3, 19.2R2*. and All versions prior to 19.3R1 on Junos OS Evolved. This issue do not affect versions of Junos OS prior to 15.1, or JDHCPD operating as a local server in non-relay mode. Cuando un dispositivo que utiliza el proceso Dynamic Host Configuration Protocol Daemon (JDHCPD) de Juniper Network en Junos OS o Junos OS Evolved, que es configurado en modo relay, es vulnerable a que un atacante envíe paquetes IPv6 diseñados que luego pueden ejecutar comandos arbitrariamente como root en el dispositivo de destino. • https://kb.juniper.net/JSA10981 https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1449353 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-121: Stack-based Buffer Overflow •
CVSS: 7.5EPSS: 0%CPEs: 278EXPL: 0CVE-2020-1607 – Junos OS: Cross-Site Scripting (XSS) in J-Web
https://notcve.org/view.php?id=CVE-2020-1607
Insufficient Cross-Site Scripting (XSS) protection in J-Web may potentially allow a remote attacker to inject web script or HTML, hijack the target user's J-Web session and perform administrative actions on the Junos device as the targeted user. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S15; 12.3X48 versions prior to 12.3X48-D86, 12.3X48-D90 on SRX Series; 14.1X53 versions prior to 14.1X53-D51 on EX and QFX Series; 15.1F6 versions prior to 15.1F6-S13; 15.1 versions prior to 15.1R7-S5; 15.1X49 versions prior to 15.1X49-D181, 15.1X49-D190 on SRX Series; 15.1X53 versions prior to 15.1X53-D238 on QFX5200/QFX5110 Series; 15.1X53 versions prior to 15.1X53-D592 on EX2300/EX3400 Series; 16.1 versions prior to 16.1R4-S13, 16.1R7-S5; 16.2 versions prior to 16.2R2-S10; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R1-S9, 17.2R3-S2; 17.3 versions prior to 17.3R2-S5, 17.3R3-S5; 17.4 versions prior to 17.4R2-S6, 17.4R3; 18.1 versions prior to 18.1R3-S7; 18.2 versions prior to 18.2R2-S5, 18.2R3; 18.3 versions prior to 18.3R1-S6, 18.3R2-S1, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R2; 19.1 versions prior to 19.1R1-S2, 19.1R2. Una protección insuficiente contra ataques de tipo Cross-Site Scripting (XSS) en J-Web puede permitir potencialmente a un atacante remoto inyectar script web o HTML, secuestrar la sesión J-Web del usuario objetivo y llevar a cabo acciones administrativas en el dispositivo Junos como el usuario objetivo. Este problema afecta a las versiones de Juniper Networks Junos OS 12.3 anteriores a 12.3R12-S15; versiones 12.3X48 anteriores a 12.3X48-D86, 12.3X48-D90 en SRX Series; versiones 14.1X53 anteriores a 14.1X53-D51 en EX y QFX Series; versiones 15.1F6 anteriores a 15.1F6-S13; versiones 15.1 anteriores a 15.1R7-S5; versiones 15.1X49 anteriores a 15.1X49-D181, 15.1X49-D190 en SRX Series; versiones 15.1X53 anteriores a 15.1X53-D238 en QFX5200/QFX5110 Series; versiones 15.1X53 anteriores a 15.1X53-D592 en EX2300/EX3400 Series; versiones 16.1 anteriores a 16.1R4-S13, 16.1R7-S5; versiones 16.2 anteriores a 16.2R2-S10; versiones 17.1 anteriores a 17.1R2-S11, 17.1R3-S1; versiones 17.2 anteriores a 17.2R1-S9, 17.2R3-S2; versiones 17.3 anteriores a 17.3R2-S5, 17.3R3-S5; versiones 17.4 anteriores a 17.4R2-S6, 17.4R3; versiones 18.1 anteriores a 18.1R3-S7; versiones 18.2 anteriores a 18.2R2-S5, 18.2R3; versiones 18.3 anteriores a 18.3R1-S6, 18.3R2-S1, 18.3R3; versiones 18.4 anteriores a 18.4R1-S5, 18.4R2; versiones 19.1 anteriores a 19.1R1-S2, 19.1R2. • https://kb.juniper.net/JSA10986 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 210EXPL: 0CVE-2020-1606 – Junos OS: Path traversal vulnerability in J-Web
https://notcve.org/view.php?id=CVE-2020-1606
A path traversal vulnerability in the Juniper Networks Junos OS device may allow an authenticated J-web user to read files with 'world' readable permission and delete files with 'world' writeable permission. This issue does not affect system files that can be accessed only by root user. This issue affects Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S13; 12.3X48 versions prior to 12.3X48-D85 on SRX Series; 14.1X53 versions prior to 14.1X53-D51; 15.1F6 versions prior to 15.1F6-S13; 15.1 versions prior to 15.1R7-S5; 15.1X49 versions prior to 15.1X49-D180 on SRX Series; 15.1X53 versions prior to 15.1X53-D238 on QFX5200/QFX5110 Series; 16.1 versions prior to 16.1R4-S13, 16.1R7-S5; 16.2 versions prior to 16.2R2-S10; 17.1 versions prior to 17.1R3-S1; 17.2 versions prior to 17.2R1-S9, 17.2R3-S2; 17.3 versions prior to 17.3R2-S5, 17.3R3-S5; 17.4 versions prior to 17.4R2-S9, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R3; 18.3 versions prior to 18.3R2-S3, 18.3R3; 18.4 versions prior to 18.4R2; 19.1 versions prior to 19.1R1-S4, 19.1R2. Una vulnerabilidad de salto de ruta en el dispositivo Juniper Networks Junos OS puede permitir a un usuario de J-web autenticado leer archivos con permiso de lectura "world" y eliminar archivos con permiso de escritura "world". Este problema no afecta a los archivos de sistema a los que solo puede acceder el usuario root. • https://kb.juniper.net/JSA10985 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 145EXPL: 0CVE-2020-1605 – Junos OS and Junos OS Evolved: A vulnerability in JDHCPD allows an attacker to send crafted IPv4 packets and arbitrarily execute commands on the target device.
https://notcve.org/view.php?id=CVE-2020-1605
When a device using Juniper Network's Dynamic Host Configuration Protocol Daemon (JDHCPD) process on Junos OS or Junos OS Evolved which is configured in relay mode it vulnerable to an attacker sending crafted IPv4 packets who may then arbitrarily execute commands as root on the target device. This issue affects IPv4 JDHCPD services. This issue affects: Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S6; 15.1X49 versions prior to 15.1X49-D200; 15.1X53 versions prior to 15.1X53-D592; 16.1 versions prior to 16.1R7-S6; 16.2 versions prior to 16.2R2-S11; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R2-S8, 17.2R3-S3; 17.3 versions prior to 17.3R3-S6; 17.4 versions prior to 17.4R2-S7, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R3-S2; 18.2X75 versions prior to 18.2X75-D60; 18.3 versions prior to 18.3R1-S6, 18.3R2-S2, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3; 19.1 versions prior to 19.1R1-S3, 19.1R2; 19.2 versions prior to 19.2R1-S3, 19.2R2*. and All versions prior to 19.3R1 on Junos OS Evolved. This issue do not affect versions of Junos OS prior to 15.1, or JDHCPD operating as a local server in non-relay mode. Cuando un dispositivo que utiliza el proceso Dynamic Host Configuration Protocol Daemon (JDHCPD) de Juniper Network en Junos OS o Junos OS Evolved, que es configurado en modo relay, es vulnerable a que un atacante envíe paquetes IPv4 diseñados que luego pueden ejecutar comandos arbitrariamente como root en el dispositivo de destino. • https://kb.juniper.net/JSA10981 https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1449353 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-121: Stack-based Buffer Overflow •