CVE-2024-39565

Junos OS: J-Web: An unauthenticated, network-based attacker can perform XPATH injection attack against a device.

Severity Score

7.7

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target device.

While an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user's credentials. In the worst case, the attacker will have full control over the device.
This issue affects Junos OS:

* All versions before 21.2R3-S8,
* from 21.4 before 21.4R3-S7,
* from 22.2 before 22.2R3-S4,
* from 22.3 before 22.3R3-S3,
* from 22.4 before 22.4R3-S2,
* from 23.2 before 23.2R2,
* from 23.4 before 23.4R1-S1, 23.4R2.

Una vulnerabilidad de neutralización inadecuada de datos dentro de expresiones XPath ('inyección XPath') en J-Web incluido con Juniper Networks Junos OS permite que un atacante basado en red no autenticado ejecute comandos remotos en el dispositivo objetivo. Mientras un administrador inicia sesión en una sesión de J-Web o ha iniciado sesión previamente y posteriormente ha cerrado sesión en su sesión de J-Web, el atacante puede ejecutar comandos arbitrariamente en el dispositivo de destino con las credenciales del otro usuario. En el peor de los casos, el atacante tendrá control total sobre el dispositivo. Este problema afecta a Junos OS: * Todas las versiones anteriores a 21.2R3-S8, * desde 21.4 anterior a 21.4R3-S7, * desde 22.2 anterior a 22.2R3-S4, * desde 22.3 anterior a 22.3R3-S3, * desde 22.4 anterior a 22.4R3-S2 , * de 23.2 antes de 23.2R2, * de 23.4 antes de 23.4R1-S1, 23.4R2.

*Credits: Juniper SIRT would like to acknowledge and thank CataLpa of Hatlab, DbappSecurity Co. Ltd. for responsibly reporting this vulnerability.

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Attack Requirements

Present

Privileges Required

None

User Interaction

Passive

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

High

None

Attack Vector

Network

Attack Complexity

High

Attack Requirements

Present

Privileges Required

None

User Interaction

Passive

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

High

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-06-25 CVE Reserved
2024-07-10 CVE Published
2024-07-11 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

CAPEC

References (3)

URL	Tag	Source
https://support.juniper.net/support/downloads/?p=283	Signature
https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/R:I/V:C/RE:L/U:Amber	Related

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://supportportal.juniper.net/JSA83023	2024-07-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Juniper Networks, Inc. Search vendor "Juniper Networks, Inc."		Junos OS Search vendor "Juniper Networks, Inc." for product "Junos OS"				< 21.2R3-S8 Search vendor "Juniper Networks, Inc." for product "Junos OS" and version " < 21.2R3-S8"		en		Affected
Juniper Networks, Inc. Search vendor "Juniper Networks, Inc."		Junos OS Search vendor "Juniper Networks, Inc." for product "Junos OS"				>= 21.4 < 21.4R3-S7 Search vendor "Juniper Networks, Inc." for product "Junos OS" and version " >= 21.4 < 21.4R3-S7"		en		Affected
Juniper Networks, Inc. Search vendor "Juniper Networks, Inc."		Junos OS Search vendor "Juniper Networks, Inc." for product "Junos OS"				>= 22.2 < 22.2R3-S4 Search vendor "Juniper Networks, Inc." for product "Junos OS" and version " >= 22.2 < 22.2R3-S4"		en		Affected
Juniper Networks, Inc. Search vendor "Juniper Networks, Inc."		Junos OS Search vendor "Juniper Networks, Inc." for product "Junos OS"				>= 22.3 < 22.3R3-S3 Search vendor "Juniper Networks, Inc." for product "Junos OS" and version " >= 22.3 < 22.3R3-S3"		en		Affected
Juniper Networks, Inc. Search vendor "Juniper Networks, Inc."		Junos OS Search vendor "Juniper Networks, Inc." for product "Junos OS"				>= 22.4 < 22.4R3-S2 Search vendor "Juniper Networks, Inc." for product "Junos OS" and version " >= 22.4 < 22.4R3-S2"		en		Affected
Juniper Networks, Inc. Search vendor "Juniper Networks, Inc."		Junos OS Search vendor "Juniper Networks, Inc." for product "Junos OS"				>= 23.2 < 23.2R2 Search vendor "Juniper Networks, Inc." for product "Junos OS" and version " >= 23.2 < 23.2R2"		en		Affected
Juniper Networks, Inc. Search vendor "Juniper Networks, Inc."		Junos OS Search vendor "Juniper Networks, Inc." for product "Junos OS"				>= 23.4 < 23.4R1-S1 Search vendor "Juniper Networks, Inc." for product "Junos OS" and version " >= 23.4 < 23.4R1-S1"		en		Affected
Juniper Networks, Inc. Search vendor "Juniper Networks, Inc."		Junos OS Search vendor "Juniper Networks, Inc." for product "Junos OS"				>= 23.4 < 23.4R2 Search vendor "Juniper Networks, Inc." for product "Junos OS" and version " >= 23.4 < 23.4R2"		en		Affected