CVE-2022-22245

Summary

A Path Traversal vulnerability in the J-Web component of Juniper Networks Junos OS allows an authenticated attacker to upload arbitrary files to the device by bypassing validation checks built into Junos OS. The attacker should not be able to execute the file due to validation checks built into Junos OS. Successful exploitation of this vulnerability could lead to loss of filesystem integrity. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R2-S2, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S1, 22.1R2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OSunspecified < 19.1R3-S9affected
Juniper NetworksJunos OS19.2 < 19.2R3-S6affected
Juniper NetworksJunos OS19.3 < 19.3R3-S7affected
Juniper NetworksJunos OS19.4 < 19.4R3-S9affected
Juniper NetworksJunos OS20.1 < 20.1R3-S5affected
Juniper NetworksJunos OS20.2 < 20.2R3-S5affected
Juniper NetworksJunos OS20.3 < 20.3R3-S5affected
Juniper NetworksJunos OS20.4 < 20.4R3-S4affected
Juniper NetworksJunos OS21.1 < 21.1R3-S2affected
Juniper NetworksJunos OS21.2 < 21.2R3-S1affected
Juniper NetworksJunos OS21.3 < 21.3R2-S2, 21.3R3affected
Juniper NetworksJunos OS21.4 < 21.4R1-S2, 21.4R2-S1, 21.4R3affected
Juniper NetworksJunos OS22.1 < 22.1R1-S1, 22.1R2affected

Weaknesses

  • CWE-23: CWE-23 Relative Path Traversal

Workarounds

Disable J-Web, or limit access to only trusted hosts.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References