An Improper Certificate Validation weakness in the Juniper Networks Junos OS allows an attacker to perform Person-in-the-Middle (PitM) attacks when a system script is fetched from a remote source at a specified HTTPS URL, which may compromise the integrity and confidentiality of the device. The following command can be executed by an administrator via the CLI to refresh a script from a remote location, which is affected from this vulnerability: >request system scripts refresh-from (commit | event | extension-service | op | snmp) file filename url <https-url> This issue affects: Juniper Networks Junos OS All versions prior to 18.4R2-S9, 18.4R3-S9; 19.1 versions prior to 19.1R2-S3, 19.1R3-S7; 19.2 versions prior to 19.2R1-S7, 19.2R3-S3; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R3-S7; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R3; 20.3 versions prior to 20.3R2-S1, 20.3R3; 20.4 versions prior to 20.4R2; 21.1 versions prior to 21.1R1-S1, 21.1R2.
Attack Vector Network
Attack Complexity High
Privileges Required None
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact None
User Interaction None
No CVSS v3.0
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None
AV:N/AC:M/Au:N/C:P/I:P/A:N
Vendors | Products |
---|---|
Juniper |
|
Configuration 1 [-]
|
References
Link | Resource |
---|---|
https://kb.juniper.net/JSA11264 | Exploit Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: juniper
Published: 2022-01-12T00:00:00
Updated: 2022-01-19T00:20:58
Reserved: 2021-12-21T00:00:00
Link: CVE-2022-22156
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-01-19T01:15:08.383
Modified: 2022-01-26T17:20:23.260
Link: CVE-2022-22156
JSON object: View
Redhat Information
No data.