CVE-2021-31386
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
A Protection Mechanism Failure vulnerability in the J-Web HTTP service of Juniper Networks Junos OS allows a remote unauthenticated attacker to perform Person-in-the-Middle (PitM) attacks against the device. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S20; 15.1 versions prior to 15.1R7-S11; 18.3 versions prior to 18.3R3-S6; 18.4 versions prior to 18.4R3-S10; 19.1 versions prior to 19.1R3-S7; 19.2 versions prior to 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Junos OS | 12.3 < 12.3R12-S20 | affected |
| Juniper Networks | Junos OS | 15.1 < 15.1R7-S11 | affected |
| Juniper Networks | Junos OS | 18.3 < 18.3R3-S6 | affected |
| Juniper Networks | Junos OS | 18.4 < 18.4R3-S10 | affected |
| Juniper Networks | Junos OS | 19.1 < 19.1R3-S7 | affected |
| Juniper Networks | Junos OS | 19.2 < 19.2R3-S4 | affected |
| Juniper Networks | Junos OS | 19.3 < 19.3R3-S4 | affected |
| Juniper Networks | Junos OS | 19.4 < 19.4R3-S6 | affected |
| Juniper Networks | Junos OS | 20.1 < 20.1R3-S2 | affected |
| Juniper Networks | Junos OS | 20.2 < 20.2R3-S3 | affected |
| Juniper Networks | Junos OS | 20.3 < 20.3R3-S1 | affected |
| Juniper Networks | Junos OS | 20.4 < 20.4R3 | affected |
| Juniper Networks | Junos OS | 21.1 < 21.1R3 | affected |
| Juniper Networks | Junos OS | 21.2 < 21.2R2 | affected |
Weaknesses
- CWE-311: CWE-311: Missing Encryption of Sensitive Data
- CWE-325: CWE-325: Missing Cryptographic Step
- CWE-693: CWE-693: Protection Mechanism Failure
- CWE-300: CWE-300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Workarounds
Discontinue the use of HTTP, instead use HTTPS when using J-Web.
[system services web-management https]
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.