CVE-2021-0269

Summary

The improper handling of client-side parameters in J-Web of Juniper Networks Junos OS allows an attacker to perform a number of different malicious actions against a target device when a user is authenticated to J-Web. An attacker may be able to supersede existing parameters, including hardcoded parameters within the HTTP/S session, access and exploit variables, bypass web application firewall rules or input validation mechanisms, and otherwise alter and modify J-Web's normal behavior. An attacker may be able to transition victims to malicious web services, or exfiltrate sensitive information from otherwise secure web forms. This issue affects: Juniper Networks Junos OS: All versions prior to 17.4R3-S3; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R3-S6; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R3-S6; 19.1 versions prior to 19.1R3-S4; 19.2 versions prior to 19.2R3-S1; 19.3 versions prior to 19.3R3-S1; 19.4 versions prior to 19.4R2-S2, 19.4R3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OSunspecified < 17.4R3-S3affected
Juniper NetworksJunos OS18.1 < 18.1R3-S12affected
Juniper NetworksJunos OS18.2 < 18.2R3-S6affected
Juniper NetworksJunos OS18.3 < 18.3R3-S4affected
Juniper NetworksJunos OS18.4 < 18.4R3-S6affected
Juniper NetworksJunos OS19.1 < 19.1R3-S4affected
Juniper NetworksJunos OS19.2 < 19.2R3-S1affected
Juniper NetworksJunos OS19.3 < 19.3R3-S1affected
Juniper NetworksJunos OS19.4 < 19.4R2-S2, 19.4R3affected
Juniper NetworksJunos OS20.1 < 20.1R2affected
Juniper NetworksJunos OS20.2 < 20.2R2affected

Weaknesses

  • CWE-233: CWE-233: Improper Handling of Parameters

Workarounds

To reduce the risk of exploitation utilize common security BCPs to limit the exploitable surface by limiting access to network and device to trusted systems, administrators, networks and hosts.

Access the J-Web service from trusted hosts which may not be compromised by cross-site scripting attacks, for example, deploying jump hosts with no internet access.

Alternatively, disable J-Web.

ADP Enrichment

CVE Program Container

Additional References

References