CVSS: 7.8EPSS: 0%CPEs: 109EXPL: 0CVE-2023-22413 – Junos OS: MX Series: The Multiservices PIC Management Daemon (mspmand) will crash when an IPsec6 tunnel processes specific IPv4 packets
https://notcve.org/view.php?id=CVE-2023-22413
12 Jan 2023 — An Improper Check or Handling of Exceptional Conditions vulnerability in the IPsec library of Juniper Networks Junos OS allows a network-based, unauthenticated attacker to cause Denial of Service (DoS). On all MX platforms with MS-MPC or MS-MIC card, when specific IPv4 packets are processed by an IPsec6 tunnel, the Multiservices PIC Management Daemon (mspmand) process will core and restart. This will lead to FPC crash. Traffic flow is impacted while mspmand restarts. Continued receipt of these specific pack... • https://kb.juniper.net/JSA70209 • CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-22251 – cSRX Series: Storing Passwords in a Recoverable Format and software permissions issues allows a local attacker to elevate privileges
https://notcve.org/view.php?id=CVE-2022-22251
18 Oct 2022 — On cSRX Series devices software permission issues in the container filesystem and stored files combined with storing passwords in a recoverable format in Juniper Networks Junos OS allows a local, low-privileged attacker to elevate their permissions to take control of any instance of a cSRX software deployment. This issue affects Juniper Networks Junos OS 20.2 version 20.2R1 and later versions prior to 21.2R1 on cSRX Series. En los dispositivos cSRX Series, los problemas de permisos de software en el sistema... • https://kb.juniper.net/JSA69908 • CWE-257: Storing Passwords in a Recoverable Format CWE-275: Permission Issues CWE-522: Insufficiently Protected Credentials •
CVSS: 6.5EPSS: 0%CPEs: 334EXPL: 0CVE-2022-22250 – Junos OS and Junos OS Evolved: An FPC crash might be seen due to an EVPN MAC entry moving from local to remote
https://notcve.org/view.php?id=CVE-2022-22250
18 Oct 2022 — An Improper Control of a Resource Through its Lifetime vulnerability in Packet Forwarding Engine (PFE) of Juniper Networks Junos OS and Junos OS Evolved allows unauthenticated adjacent attacker to cause a Denial of Service (DoS). In an EVPN-MPLS scenario, if MAC is learned locally on an access interface but later a request to delete is received indicating that the MAC was learnt remotely, this can lead to memory corruption which can result in line card crash and reload. This issue affects: Juniper Networks ... • https://kb.juniper.net/JSA69907 • CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: 6.5EPSS: 0%CPEs: 214EXPL: 1CVE-2022-22249 – Junos OS: MX Series: An FPC crash might be seen due to mac-moves within the same bridge domain
https://notcve.org/view.php?id=CVE-2022-22249
18 Oct 2022 — An Improper Control of a Resource Through its Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS). When there is a continuous mac move a memory corruption causes one or more FPCs to crash and reboot. These MAC moves can be between two local interfaces or between core/EVPN and local interface. The below error logs can be seen in PFE syslog when this issue happens: xss_event_handle... • https://kb.juniper.net/JSA69906 • CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: 9.0EPSS: 0%CPEs: 161EXPL: 0CVE-2022-22246 – Junos OS: PHP file inclusion vulnerability in J-Web
https://notcve.org/view.php?id=CVE-2022-22246
18 Oct 2022 — A PHP Local File Inclusion (LFI) vulnerability in the J-Web component of Juniper Networks Junos OS may allow a low-privileged authenticated attacker to execute an untrusted PHP file. By chaining this vulnerability with other unspecified vulnerabilities, and by circumventing existing attack requirements, successful exploitation could lead to a complete system compromise. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.... • https://kb.juniper.net/JSA69899 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 4.3EPSS: 0%CPEs: 160EXPL: 0CVE-2022-22245 – Junos OS: Path traversal vulnerability in J-Web
https://notcve.org/view.php?id=CVE-2022-22245
18 Oct 2022 — A Path Traversal vulnerability in the J-Web component of Juniper Networks Junos OS allows an authenticated attacker to upload arbitrary files to the device by bypassing validation checks built into Junos OS. The attacker should not be able to execute the file due to validation checks built into Junos OS. Successful exploitation of this vulnerability could lead to loss of filesystem integrity. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.... • https://kb.juniper.net/JSA69899 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 5.3EPSS: 0%CPEs: 160EXPL: 0CVE-2022-22244 – Junos OS: Unauthenticated XPath Injection vulnerability in J-Web
https://notcve.org/view.php?id=CVE-2022-22244
18 Oct 2022 — An XPath Injection vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker sending a crafted POST to reach the XPath channel, which may allow chaining to other unspecified vulnerabilities, leading to a partial loss of confidentiality. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions pri... • https://kb.juniper.net/JSA69899 • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 4.3EPSS: 0%CPEs: 162EXPL: 0CVE-2022-22243 – Junos OS: XPath Injection vulnerability in J-Web
https://notcve.org/view.php?id=CVE-2022-22243
18 Oct 2022 — An XPath Injection vulnerability due to Improper Input Validation in the J-Web component of Juniper Networks Junos OS allows an authenticated attacker to add an XPath command to the XPath stream, which may allow chaining to other unspecified vulnerabilities, leading to a partial loss of confidentiality. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions p... • https://kb.juniper.net/JSA69899 • CWE-20: Improper Input Validation CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 6.4EPSS: 87%CPEs: 160EXPL: 0CVE-2022-22242 – Junos OS: Cross-site Scripting (XSS) vulnerability in J-Web
https://notcve.org/view.php?id=CVE-2022-22242
18 Oct 2022 — A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web. This issue affects Juniper Networks Junos OS all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 ... • https://kb.juniper.net/JSA69899 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 161EXPL: 0CVE-2022-22241 – Junos OS: Vulnerability in J-Web may allow deserialization without authentication
https://notcve.org/view.php?id=CVE-2022-22241
18 Oct 2022 — An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Utilizing a crafted POST request, deserialization may occur which could lead to unauthorized local file access or the ability to execute arbitrary commands. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-... • https://kb.juniper.net/JSA69899 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •