CVE-2020-1606

Summary

A path traversal vulnerability in the Juniper Networks Junos OS device may allow an authenticated J-web user to read files with 'world' readable permission and delete files with 'world' writeable permission. This issue does not affect system files that can be accessed only by root user. This issue affects Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S13; 12.3X48 versions prior to 12.3X48-D85 on SRX Series; 14.1X53 versions prior to 14.1X53-D51; 15.1F6 versions prior to 15.1F6-S13; 15.1 versions prior to 15.1R7-S5; 15.1X49 versions prior to 15.1X49-D180 on SRX Series; 15.1X53 versions prior to 15.1X53-D238 on QFX5200/QFX5110 Series; 16.1 versions prior to 16.1R4-S13, 16.1R7-S5; 16.2 versions prior to 16.2R2-S10; 17.1 versions prior to 17.1R3-S1; 17.2 versions prior to 17.2R1-S9, 17.2R3-S2; 17.3 versions prior to 17.3R2-S5, 17.3R3-S5; 17.4 versions prior to 17.4R2-S9, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R3; 18.3 versions prior to 18.3R2-S3, 18.3R3; 18.4 versions prior to 18.4R2; 19.1 versions prior to 19.1R1-S4, 19.1R2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS12.3 < 12.3R12-S13affected
Juniper NetworksJunos OS14.1X53 < 14.1X53-D51affected
Juniper NetworksJunos OS15.1F6 < 15.1F6-S13affected
Juniper NetworksJunos OS15.1 < 15.1R7-S5affected
Juniper NetworksJunos OS16.1 < 16.1R4-S13, 16.1R7-S5affected
Juniper NetworksJunos OS16.2 < 16.2R2-S10affected
Juniper NetworksJunos OS17.1 < 17.1R3-S1affected
Juniper NetworksJunos OS17.2 < 17.2R1-S9, 17.2R3-S2affected
Juniper NetworksJunos OS17.3 < 17.3R2-S5, 17.3R3-S5affected
Juniper NetworksJunos OS17.4 < 17.4R2-S9, 17.4R3affected
Juniper NetworksJunos OS18.1 < 18.1R3-S8affected
Juniper NetworksJunos OS18.2 < 18.2R3affected
Juniper NetworksJunos OS18.3 < 18.3R2-S3, 18.3R3affected
Juniper NetworksJunos OS18.4 < 18.4R2affected
Juniper NetworksJunos OS19.1 < 19.1R1-S4, 19.1R2affected
Juniper NetworksJunos OS12.3X48 < 12.3X48-D85affected
Juniper NetworksJunos OS15.1X49 < 15.1X49-D180affected
Juniper NetworksJunos OS15.1X53 < 15.1X53-D238affected
Juniper NetworksJunos OS15.1X53 < 15.1X53-D592affected

Weaknesses

  • CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Workarounds

Limit access to the J-Web interface to only trusted users to reduce risks of exploitation of this vulnerability.

ADP Enrichment

CVE Program Container

Additional References

References