CVSS: 7.8EPSS: 0%CPEs: 172EXPL: 0CVE-2023-22394 – Junos OS: SRX Series and MX Series: Memory leak due to receipt of specially crafted SIP calls
https://notcve.org/view.php?id=CVE-2023-22394
12 Jan 2023 — An Improper Handling of Unexpected Data Type vulnerability in the handling of SIP calls in Juniper Networks Junos OS on SRX Series and MX Series platforms allows an attacker to cause a memory leak leading to Denial of Services (DoS). This issue occurs on all MX Series platforms with MS-MPC or MS-MIC card and all SRX Series platforms where SIP ALG is enabled. Successful exploitation of this vulnerability prevents additional SIP calls and applications from succeeding. The SIP ALG needs to be enabled, either i... • https://kb.juniper.net/JSA70190 • CWE-911: Improper Update of Reference Count •
CVSS: 7.8EPSS: 0%CPEs: 109EXPL: 0CVE-2023-22413 – Junos OS: MX Series: The Multiservices PIC Management Daemon (mspmand) will crash when an IPsec6 tunnel processes specific IPv4 packets
https://notcve.org/view.php?id=CVE-2023-22413
12 Jan 2023 — An Improper Check or Handling of Exceptional Conditions vulnerability in the IPsec library of Juniper Networks Junos OS allows a network-based, unauthenticated attacker to cause Denial of Service (DoS). On all MX platforms with MS-MPC or MS-MIC card, when specific IPv4 packets are processed by an IPsec6 tunnel, the Multiservices PIC Management Daemon (mspmand) process will core and restart. This will lead to FPC crash. Traffic flow is impacted while mspmand restarts. Continued receipt of these specific pack... • https://kb.juniper.net/JSA70209 • CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 7.8EPSS: 0%CPEs: 150EXPL: 1CVE-2023-22415 – Junos OS: MX Series and SRX Series: The flow processing daemon (flowd) will crash when specific H.323 packets are received
https://notcve.org/view.php?id=CVE-2023-22415
12 Jan 2023 — An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause Denial of Service (DoS). On all MX Series and SRX Series platform, when H.323 ALG is enabled and specific H.323 packets are received simultaneously, a flow processing daemon (flowd) crash will occur. Continued receipt of these specific packets will cause a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS on MX Series and SRX S... • https://kb.juniper.net/JSA70211 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 214EXPL: 1CVE-2022-22249 – Junos OS: MX Series: An FPC crash might be seen due to mac-moves within the same bridge domain
https://notcve.org/view.php?id=CVE-2022-22249
18 Oct 2022 — An Improper Control of a Resource Through its Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS). When there is a continuous mac move a memory corruption causes one or more FPCs to crash and reboot. These MAC moves can be between two local interfaces or between core/EVPN and local interface. The below error logs can be seen in PFE syslog when this issue happens: xss_event_handle... • https://kb.juniper.net/JSA69906 • CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: 9.0EPSS: 0%CPEs: 161EXPL: 0CVE-2022-22246 – Junos OS: PHP file inclusion vulnerability in J-Web
https://notcve.org/view.php?id=CVE-2022-22246
18 Oct 2022 — A PHP Local File Inclusion (LFI) vulnerability in the J-Web component of Juniper Networks Junos OS may allow a low-privileged authenticated attacker to execute an untrusted PHP file. By chaining this vulnerability with other unspecified vulnerabilities, and by circumventing existing attack requirements, successful exploitation could lead to a complete system compromise. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.... • https://kb.juniper.net/JSA69899 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 4.3EPSS: 0%CPEs: 160EXPL: 0CVE-2022-22245 – Junos OS: Path traversal vulnerability in J-Web
https://notcve.org/view.php?id=CVE-2022-22245
18 Oct 2022 — A Path Traversal vulnerability in the J-Web component of Juniper Networks Junos OS allows an authenticated attacker to upload arbitrary files to the device by bypassing validation checks built into Junos OS. The attacker should not be able to execute the file due to validation checks built into Junos OS. Successful exploitation of this vulnerability could lead to loss of filesystem integrity. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.... • https://kb.juniper.net/JSA69899 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 5.3EPSS: 0%CPEs: 160EXPL: 0CVE-2022-22244 – Junos OS: Unauthenticated XPath Injection vulnerability in J-Web
https://notcve.org/view.php?id=CVE-2022-22244
18 Oct 2022 — An XPath Injection vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker sending a crafted POST to reach the XPath channel, which may allow chaining to other unspecified vulnerabilities, leading to a partial loss of confidentiality. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions pri... • https://kb.juniper.net/JSA69899 • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 4.3EPSS: 0%CPEs: 162EXPL: 0CVE-2022-22243 – Junos OS: XPath Injection vulnerability in J-Web
https://notcve.org/view.php?id=CVE-2022-22243
18 Oct 2022 — An XPath Injection vulnerability due to Improper Input Validation in the J-Web component of Juniper Networks Junos OS allows an authenticated attacker to add an XPath command to the XPath stream, which may allow chaining to other unspecified vulnerabilities, leading to a partial loss of confidentiality. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions p... • https://kb.juniper.net/JSA69899 • CWE-20: Improper Input Validation CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 6.4EPSS: 6%CPEs: 160EXPL: 0CVE-2022-22242 – Junos OS: Cross-site Scripting (XSS) vulnerability in J-Web
https://notcve.org/view.php?id=CVE-2022-22242
18 Oct 2022 — A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web. This issue affects Juniper Networks Junos OS all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 ... • https://kb.juniper.net/JSA69899 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 161EXPL: 0CVE-2022-22241 – Junos OS: Vulnerability in J-Web may allow deserialization without authentication
https://notcve.org/view.php?id=CVE-2022-22241
18 Oct 2022 — An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Utilizing a crafted POST request, deserialization may occur which could lead to unauthorized local file access or the ability to execute arbitrary commands. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-... • https://kb.juniper.net/JSA69899 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •