10

CVE-2021-31384

Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web administrative interfaces can successfully do so from any device interface regardless of the web-management configuration and filter rules which may otherwise protect access to J-Web. This issue affects: Juniper Networks Junos OS SRX Series 20.4 version 20.4R1 and later versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. This issue does not affect Juniper Networks Junos OS versions prior to 20.4R1.

Data is provided by the National Vulnerability Database (NVD)
JuniperJunos Version20.4 Updater1
   JuniperSrx1500 Version-
   JuniperSrx300 Version-
   JuniperSrx4100 Version-
   JuniperSrx4200 Version-
   JuniperSrx4600 Version-
   JuniperSrx5400 Version-
   JuniperSrx550 Version-
   JuniperSrx5600 Version-
   JuniperSrx5800 Version-
JuniperJunos Version20.4 Updater1-s1
   JuniperSrx1500 Version-
   JuniperSrx300 Version-
   JuniperSrx4100 Version-
   JuniperSrx4200 Version-
   JuniperSrx4600 Version-
   JuniperSrx5400 Version-
   JuniperSrx550 Version-
   JuniperSrx5600 Version-
   JuniperSrx5800 Version-
JuniperJunos Version20.4 Updater2
   JuniperSrx1500 Version-
   JuniperSrx300 Version-
   JuniperSrx4100 Version-
   JuniperSrx4200 Version-
   JuniperSrx4600 Version-
   JuniperSrx5400 Version-
   JuniperSrx550 Version-
   JuniperSrx5600 Version-
   JuniperSrx5800 Version-
JuniperJunos Version21.1 Updater1
   JuniperSrx1500 Version-
   JuniperSrx300 Version-
   JuniperSrx4100 Version-
   JuniperSrx4200 Version-
   JuniperSrx4600 Version-
   JuniperSrx5400 Version-
   JuniperSrx550 Version-
   JuniperSrx5600 Version-
   JuniperSrx5800 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.37% 0.555
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 10 3.9 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
sirt@juniper.net 7.2 3.9 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE-1220 Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CWE-939 Improper Authorization in Handler for Custom URL Scheme

The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

https://kb.juniper.net/
Permissions Required