CVE-2020-1673

Published Oct 16, 2020

Last updated 4 years ago

CVSS high 8.8

Overview

Description: Insufficient Cross-Site Scripting (XSS) protection in Juniper Networks J-Web and web based (HTTP/HTTPS) services allows an unauthenticated attacker to hijack the target user's HTTP/HTTPS session and perform administrative actions on the Junos device as the targeted user. This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled such as J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP). Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf In order to successfully exploit this vulnerability, the attacker needs to convince the device administrator to take action such as clicking the crafted URL sent via phishing email or convince the administrator to input data in the browser console. This issue affects Juniper Networks Junos OS: 18.1 versions prior to 18.1R3-S1; 18.2 versions prior to 18.2R3-S5; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R2-S5, 18.4R3-S2; 19.1 versions prior to 19.1R2-S2, 19.1R3-S1; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S4, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2; 20.1 versions prior to 20.1R1-S2, 20.1R2. This issue does not affect Juniper Networks Junos OS prior to 18.1R1.
Source: sirt@juniper.net
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 7.6
Impact score: 10
Exploitability score: 4.9
Vector string: AV:N/AC:H/Au:N/C:C/I:C/A:C

Weaknesses

nvd@nist.gov: CWE-79
sirt@juniper.net: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.1:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0DFDD907-5305-4602-8A9C-685AA112C342"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.1:r1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B0A756E2-C320-405A-B24F-7C5022649E5A"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.1:r2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2EF6F4C1-6A7E-474F-89BC-7A3C50FD8CAC"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.1:r2-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "84F5BCBA-404B-4BC9-B363-CE6D231B0D6D"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.1:r2-s2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "18A4CA3E-DA61-49CC-8476-3A476CCB2B83"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.1:r2-s4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A7380B3E-09F5-4497-86C6-11EF56BD89F1"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.1:r3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "658841A9-BEC9-433E-81D0-47DE82887C4F"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A8B5BD93-3C11-45D5-ACF0-7C4C01106C8A"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "167EEC4F-729E-47C2-B0F8-E8108CE3E985"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r1:-:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "90BF177D-A895-4D05-B674-B27420A5DC6B"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r1-s3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A893CCE5-96B8-44A1-ABEF-6AB9B527B2FB"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r1-s4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "42203801-E2E7-4DCF-ABBB-D23A91B2A9FF"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r1-s5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "238EC996-8E8C-4332-916F-09E54E6EBB9D"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5F711936-33A1-47FC-A6A0-A63088915815"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r2-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "21B7820C-01D2-401C-9E6D-C83994FD5961"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r2-s2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3D2FBD29-2CAC-41B4-9336-671373EF4A7C"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r2-s3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EEFCDA90-67E2-4AEF-800C-1D29A9121B8F"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r2-s4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "74B99981-840F-4DAD-976A-5DAEFE9FB93D"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r2-s5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BDD3ADB9-35FF-41D3-92BD-98D6D4826B03"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r2-s6:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "341F2459-8335-40E9-A2B3-BE804D319F95"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B670F988-78F2-4BC6-B7FC-E34C280F67DC"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r3-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2F9451C7-6466-4AC9-9A7F-90A2817AED6C"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r3-s2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "871CA952-C5EC-4A25-8EF0-C2EC484F7DE9"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r3-s3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "80E2AD65-3DAC-4618-AB73-C43EDCDC7A13"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.2:r3-s4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B783A510-A694-4BF0-8995-F05507F75A90"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1BB9C2BB-D20B-41E9-B75F-7FAD9ECCDB99"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:r1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5342C3DC-D640-47AB-BD76-3444852988A2"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:r1-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8AB8585E-EDC6-4400-BEE3-3A6A7C922C90"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:r1-s2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A2ABC574-B3FC-4025-B50D-7F9EEB28C806"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:r1-s3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6F6EAFC3-C3AC-4361-8530-39FCF89702F7"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:r1-s5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6B363298-315C-4FD5-9417-C5B82883A224"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:r1-s6:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EB08FF7B-01F5-4A19-858E-E2CD19D61A62"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:r2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B7A3FBD3-5399-42A9-9BD9-E3C981CBD6DB"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:r2-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4EBD361C-8B4D-43EF-8B82-9FE165D8206E"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:r2-s2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6E7539C4-6208-43EB-9A0B-4852D0CE0FA1"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:r2-s3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "35299B02-DC75-458D-B86D-8A0DB95B06AA"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:r3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CFB29C9B-9729-43EB-AF98-AF44038DA711"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.3:r3-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2D1FB957-54C8-428E-BC8D-2802D7F6895F"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "74CA9010-D3DE-487B-B46F-589A48AB0F0A"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:r1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A38F224C-8E9B-44F3-9D4F-6C9F04F57927"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:r1-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "853F146A-9A0F-49B6-AFD2-9907434212F1"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:r1-s2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8F73B88B-E66C-4ACD-B38D-9365FB230ABA"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:r1-s5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C012CD07-706A-4E1C-B399-C55AEF5C8309"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:r1-s6:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A0C26E59-874A-4D87-9E7F-E366F4D65ED1"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:r2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D59D7A31-128B-4034-862B-8EF3CE3EE949"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:r2-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0C5E097B-B79E-4E6A-9291-C8CB9674FED5"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:r2-s2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "819FA3ED-F934-4B20-BC0E-D638ACCB7787"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:r2-s3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3D7D773A-4988-4D7C-A105-1885EBE14426"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:r2-s4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1BD93674-9375-493E-BD6C-8AD41CC75DD4"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:r3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "736B7A9F-E237-45AF-A6D6-84412475F481"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:18.4:r3-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "62E63730-F697-4FE6-936B-FD9B4F22EAE8"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.1:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "768C0EB7-8456-4BF4-8598-3401A54D21DA"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.1:r1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5332B70A-F6B0-4C3B-90E2-5CBFB3326126"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.1:r1-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "81439FE8-5405-45C2-BC04-9823D2009A77"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.1:r1-s2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E506138D-043E-485D-B485-94A2AB75F8E7"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.1:r1-s3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0EF3C901-3599-463F-BEFB-8858768DC195"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.1:r1-s4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CD806778-A995-4A9B-9C05-F4D7B1CB1F7D"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.1:r2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DCAB79C9-6639-4ED0-BEC9-E7C8229DF977"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.1:r2-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C8CF858F-84BB-4AEA-B829-FCF22C326160"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.1:r3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5405F361-AB96-4477-AA0D-49B874324B39"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.2:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0E7545CE-6300-4E81-B5AF-2BE150C1B190"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.2:r1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4CA3060F-1800-4A06-A453-FB8CE4B65312"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.2:r1-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9A5B337A-727C-4767-AD7B-E0F7F99EB46F"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.2:r1-s2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "16FDE60B-7A99-4683-BC14-530B5B005F8B"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.2:r1-s3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "725D8C27-E4F8-4394-B4EC-B49B6D3C2709"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.2:r1-s4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8233C3AB-470E-4D13-9BFD-C9E90918FD0B"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.3:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "59006503-B2CA-4F79-AC13-7C5615A74CE5"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.3:r1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B8110DA9-54B1-43CF-AACB-76EABE0C9EF6"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.3:r1-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "11B5CC5A-1959-4113-BFCF-E4BA63D918C1"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.3:r2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "33F08A33-EF80-4D86-9A9A-9DF147B9B6D3"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.3:r2-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AF24ACBD-5F84-47B2-BFF3-E9A56666269C"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.3:r2-s2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3935A586-41BD-4FA5-9596-DED6F0864777"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.3:r2-s3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B83FB539-BD7C-4BEE-9022-098F73902F38"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.4:r1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DC743EE4-8833-452A-94DB-655BF139F883"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.4:r1-s1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FE96A8EA-FFE3-4D8F-9266-21899149D634"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:19.4:r1-s2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C12A75C6-2D00-4202-B861-00FF71585FA0"
          },
          {
            "criteria": "cpe:2.3:o:juniper:junos:20.1:r1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8328FDE6-9707-4142-B905-3B07C0E28E35"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References