Vulnerability Details : CVE-2022-22189
An Incorrect Ownership Assignment vulnerability in Juniper Networks Contrail Service Orchestration (CSO) allows a locally authenticated user to have their permissions elevated without authentication thereby taking control of the local system they are currently authenticated to. This issue affects: Juniper Networks Contrail Service Orchestration 6.0.0 versions prior to 6.0.0 Patch v3 on On-premises installations. This issue does not affect Juniper Networks Contrail Service Orchestration On-premises versions prior to 6.0.0.
Products affected by CVE-2022-22189
- cpe:2.3:a:juniper:contrail_service_orchestration:6.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:juniper:contrail_service_orchestration:6.0.0:patch1:*:*:*:*:*:*
- cpe:2.3:a:juniper:contrail_service_orchestration:6.0.0:patch2:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-22189
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 11 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-22189
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
7.3
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
1.3
|
5.9
|
Juniper Networks, Inc. |
CWE ids for CVE-2022-22189
-
A product requires authentication, but the product has an alternate path or channel that does not require authentication.Assigned by: sirt@juniper.net (Secondary)
-
The product assigns an owner to a resource, but the owner is outside of the intended control sphere.Assigned by: sirt@juniper.net (Secondary)
References for CVE-2022-22189
-
https://kb.juniper.net/JSA69498
2022-04 Security Bulletin: Contrail Service Orchestration: An authenticated local user may have their permissions elevated via the device via management interface without authentication (CVE-2022-2218Permissions Required;Vendor Advisory
Jump to