Vulnerability Details : CVE-2021-31384
Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web administrative interfaces can successfully do so from any device interface regardless of the web-management configuration and filter rules which may otherwise protect access to J-Web. This issue affects: Juniper Networks Junos OS SRX Series 20.4 version 20.4R1 and later versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. This issue does not affect Juniper Networks Junos OS versions prior to 20.4R1.
Vulnerability category: BypassGain privilege
Products affected by CVE-2021-31384
- cpe:2.3:o:juniper:junos:20.4:r1:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:20.4:r1-s1:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:21.1:r1:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:20.4:r2:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-31384
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-31384
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
10.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
3.9
|
6.0
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
3.9
|
2.7
|
Juniper Networks, Inc. |
CWE ids for CVE-2021-31384
-
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Assigned by: sirt@juniper.net (Secondary)
-
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.Assigned by: sirt@juniper.net (Secondary)
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by:
- nvd@nist.gov (Primary)
- sirt@juniper.net (Secondary)
-
The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.Assigned by: sirt@juniper.net (Secondary)
-
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.Assigned by: sirt@juniper.net (Secondary)
References for CVE-2021-31384
-
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11252
2021-10 Security Bulletin: Junos OS: SRX Series: Under a specific device configuration an attacker can access the devices J-Web management services from any interface, regardless of security settingsVendor Advisory
-
https://kb.juniper.net/
Juniper NetworksPermissions Required
Jump to