CVE-2021-31384
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Summary
Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web administrative interfaces can successfully do so from any device interface regardless of the web-management configuration and filter rules which may otherwise protect access to J-Web. This issue affects: Juniper Networks Junos OS SRX Series 20.4 version 20.4R1 and later versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. This issue does not affect Juniper Networks Junos OS versions prior to 20.4R1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Junos OS | unspecified < 20.4R1 | unaffected |
| Juniper Networks | Junos OS | 20.4R1 < 20.4* | affected |
| Juniper Networks | Junos OS | 21.1 < 21.1R1-S1, 21.1R2 | affected |
Weaknesses
- CWE-285: CWE-285: Improper Authorization
- CWE-862: CWE-862: Missing Authorization
- CWE-551: CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
- CWE-939: CWE-939: Improper Authorization in Handler for Custom URL Scheme
- CWE-1220: CWE-1220: Insufficient Granularity of Access Control
Workarounds
There are no viable workarounds for this issue other than disabling J-Web.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.