CVE-2018-0046 - OpenCVE

A reflected cross-site scripting vulnerability in OpenNMS included with Juniper Networks Junos Space may allow the stealing of sensitive information or session credentials from Junos Space administrators or perform administrative actions. This issue affects Juniper Networks Junos Space versions prior to 18.2R1.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Juniper	Junos Space

Configuration 1 [-]

cpe:2.3:a:juniper:junos_space:18.1r1:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/105566	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1041862	Third Party Advisory VDB Entry
https://github.com/OpenNMS/opennms/commit/8710463077c10034fcfa06556a98fb1a1a64fd0d	Patch Third Party Advisory
https://kb.juniper.net/JSA10880	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: juniper

Published: 2018-10-10T00:00:00

Updated: 2018-10-17T09:57:01

Reserved: 2017-11-16T00:00:00

Link: CVE-2018-0046

JSON object: View

NVD Information

Status : Modified

Published: 2018-10-10T18:29:00.780

Modified: 2019-10-09T23:31:05.440

Link: CVE-2018-0046

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "Junos Space", "vendor": "Juniper Networks", "versions": [{"lessThan": "18.2R1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Marcel Bilal of IT-Dienstleistungszentrum Berlin"}], "datePublic": "2018-10-10T00:00:00", "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting vulnerability in OpenNMS included with Juniper Networks Junos Space may allow the stealing of sensitive information or session credentials from Junos Space administrators or perform administrative actions. This issue affects Juniper Networks Junos Space versions prior to 18.2R1."}], "exploits": [{"lang": "en", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Reflected cross-site scripting vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-17T09:57:01", "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "shortName": "juniper"}, "references": [{"name": "105566", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105566"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://kb.juniper.net/JSA10880"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenNMS/opennms/commit/8710463077c10034fcfa06556a98fb1a1a64fd0d"}, {"name": "1041862", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041862"}], "solutions": [{"lang": "en", "value": "The following software releases have been updated to resolve this specific issue: Junos Space 18.2R1, and all subsequent releases.\n"}], "source": {"advisory": "JSA10880", "defect": ["1337619"], "discovery": "EXTERNAL"}, "title": "Junos Space: Reflected Cross-site Scripting vulnerability in OpenNMS", "workarounds": [{"lang": "en", "value": "There are no viable workarounds for this issue."}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "sirt@juniper.net", "DATE_PUBLIC": "2018-10-10T16:00:00.000Z", "ID": "CVE-2018-0046", "STATE": "PUBLIC", "TITLE": "Junos Space: Reflected Cross-site Scripting vulnerability in OpenNMS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Junos Space", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_value": "18.2R1"}]}}]}, "vendor_name": "Juniper Networks"}]}}, "credit": [{"lang": "eng", "value": "Marcel Bilal of IT-Dienstleistungszentrum Berlin"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A reflected cross-site scripting vulnerability in OpenNMS included with Juniper Networks Junos Space may allow the stealing of sensitive information or session credentials from Junos Space administrators or perform administrative actions. This issue affects Juniper Networks Junos Space versions prior to 18.2R1."}]}, "exploit": [{"lang": "en", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}], "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Reflected cross-site scripting vulnerability"}]}]}, "references": {"reference_data": [{"name": "105566", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105566"}, {"name": "https://kb.juniper.net/JSA10880", "refsource": "CONFIRM", "url": "https://kb.juniper.net/JSA10880"}, {"name": "https://github.com/OpenNMS/opennms/commit/8710463077c10034fcfa06556a98fb1a1a64fd0d", "refsource": "CONFIRM", "url": "https://github.com/OpenNMS/opennms/commit/8710463077c10034fcfa06556a98fb1a1a64fd0d"}, {"name": "1041862", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041862"}]}, "solution": [{"lang": "en", "value": "The following software releases have been updated to resolve this specific issue: Junos Space 18.2R1, and all subsequent releases.\n"}], "source": {"advisory": "JSA10880", "defect": ["1337619"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "There are no viable workarounds for this issue."}]}}}, "cveMetadata": {"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "assignerShortName": "juniper", "cveId": "CVE-2018-0046", "datePublished": "2018-10-10T00:00:00", "dateReserved": "2017-11-16T00:00:00", "dateUpdated": "2018-10-17T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:juniper:junos_space:18.1r1:*:*:*:*:*:*:*", "matchCriteriaId": "D82DF30A-C838-49AC-95DC-16D765FD5588", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting vulnerability in OpenNMS included with Juniper Networks Junos Space may allow the stealing of sensitive information or session credentials from Junos Space administrators or perform administrative actions. This issue affects Juniper Networks Junos Space versions prior to 18.2R1."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-Site Scripting (XSS) reflejado en OpenNMS incluido con Juniper Networks Junos Space podr\u00eda permitir el robo de informaci\u00f3n sensible o credenciales de sesi\u00f3n de los administradores de Junos Space o realizar acciones administrativas. Este problema afecta a Juniper Networks Junos Space en versiones anteriores a la 18.2R1."}], "id": "CVE-2018-0046", "lastModified": "2019-10-09T23:31:05.440", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "sirt@juniper.net", "type": "Secondary"}]}, "published": "2018-10-10T18:29:00.780", "references": [{"source": "sirt@juniper.net", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105566"}, {"source": "sirt@juniper.net", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041862"}, {"source": "sirt@juniper.net", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OpenNMS/opennms/commit/8710463077c10034fcfa06556a98fb1a1a64fd0d"}, {"source": "sirt@juniper.net", "tags": ["Vendor Advisory"], "url": "https://kb.juniper.net/JSA10880"}], "sourceIdentifier": "sirt@juniper.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}