CVE-2022-22181

Summary

A reflected Cross-site Scripting (XSS) vulnerability in J-Web of Juniper Networks Junos OS allows a network-based authenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web. This may allow the attacker to gain control of the device or attack other authenticated user sessions. This issue affects: Juniper Networks Junos OS All versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R3-S9; 19.1 versions prior to 19.1R3-S6; 19.2 versions prior to 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S4; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OSunspecified < 18.3R3-S5affected
Juniper NetworksJunos OS18.4 < 18.4R3-S9affected
Juniper NetworksJunos OS19.1 < 19.1R3-S6affected
Juniper NetworksJunos OS19.2 < 19.2R3-S3affected
Juniper NetworksJunos OS19.3 < 19.3R2-S6, 19.3R3-S3affected
Juniper NetworksJunos OS19.4 < 19.4R3-S5affected
Juniper NetworksJunos OS20.1 < 20.1R3-S4affected
Juniper NetworksJunos OS20.2 < 20.2R3-S2affected
Juniper NetworksJunos OS20.3 < 20.3R3affected
Juniper NetworksJunos OS20.4 < 20.4R3affected
Juniper NetworksJunos OS21.1 < 21.1R1-S1, 21.1R2affected

Weaknesses

  • CWE-79: CWE-79 Cross-site Scripting (XSS)

Workarounds

To reduce the risk of exploitation of this issue, use access lists or firewall filters to limit access to only trusted administrative networks, hosts and users.

Alternatively, J-Web can be disabled.

ADP Enrichment

CVE Program Container

Additional References

References