// For flags

CVE-2022-22152

Contrail Service Orchestration: Tenants able to see other tenants policies via REST API interface

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system. By utilizing the REST API, one tenant is able to obtain information on another tenant's firewall configuration and access control policies, as well as other sensitive information, exposing the tenant to reduced defense against malicious attacks or exploitation via additional undetermined vulnerabilities. This issue affects Juniper Networks Contrail Service Orchestration versions prior to 6.1.0 Patch 3.

Una vulnerabilidad de Fallo del Mecanismo de Protección en la API REST de Juniper Networks Contrail Service Orchestration permite a un arrendatario del sistema visualizar detalles de configuración confidenciales de otro arrendatario del mismo sistema. Al usar la API REST, un inquilino puede obtener información sobre la configuración del firewall y las políticas de control de acceso de otro inquilino, así como otra información confidencial, exponiendo al inquilino a una defensa reducida contra ataques maliciosos o a la explotación por medio de vulnerabilidades adicionales no determinadas. Este problema afecta a versiones de Juniper Networks Contrail Service Orchestration anteriores a 6.1.0 Patch 3

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-12-21 CVE Reserved
  • 2022-01-19 CVE Published
  • 2023-08-11 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-693: Protection Mechanism Failure
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://kb.juniper.net/JSA11260 2022-01-24
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Juniper
Search vendor "Juniper"
 Contrail Service Orchestration
Search vendor "Juniper" for product "Contrail Service Orchestration"
 <= 6.0.0
Search vendor "Juniper" for product "Contrail Service Orchestration" and version " <= 6.0.0"
-
Affected
Juniper
Search vendor "Juniper"
 Contrail Service Orchestration
Search vendor "Juniper" for product "Contrail Service Orchestration"
 6.1.0
Search vendor "Juniper" for product "Contrail Service Orchestration" and version "6.1.0"
-
Affected
Juniper
Search vendor "Juniper"
 Contrail Service Orchestration
Search vendor "Juniper" for product "Contrail Service Orchestration"
 6.1.0
Search vendor "Juniper" for product "Contrail Service Orchestration" and version "6.1.0"
patch1
Affected
Juniper
Search vendor "Juniper"
 Contrail Service Orchestration
Search vendor "Juniper" for product "Contrail Service Orchestration"
 6.1.0
Search vendor "Juniper" for product "Contrail Service Orchestration" and version "6.1.0"
patch2
Affected