Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web administrative interfaces can successfully do so from any device interface regardless of the web-management configuration and filter rules which may otherwise protect access to J-Web. This issue affects: Juniper Networks Junos OS SRX Series 20.4 version 20.4R1 and later versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. This issue does not affect Juniper Networks Junos OS versions prior to 20.4R1.
Published 2021-10-19 19:15:11
Updated 2021-10-25 17:25:20
View at NVD,   CVE.org
Vulnerability category: BypassGain privilege

Products affected by CVE-2021-31384

Exploit prediction scoring system (EPSS) score for CVE-2021-31384

0.22%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-31384

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.5
HIGH AV:N/AC:L/Au:N/C:P/I:P/A:P
10.0
6.4
NIST
10.0
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
3.9
6.0
NIST
7.2
HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
3.9
2.7
Juniper Networks, Inc.

CWE ids for CVE-2021-31384

  • The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
    Assigned by: sirt@juniper.net (Secondary)
  • If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
    Assigned by: sirt@juniper.net (Secondary)
  • The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
    Assigned by:
    • nvd@nist.gov (Primary)
    • sirt@juniper.net (Secondary)
  • The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
    Assigned by: sirt@juniper.net (Secondary)
  • The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
    Assigned by: sirt@juniper.net (Secondary)

References for CVE-2021-31384

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!