CVE-2024-21619
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 3.6
Source: NVD
Description
A Missing Authentication for Critical Function vulnerability combined with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to access sensitive system information.
When a user logs in, a temporary file which contains the configuration of the device (as visible to that user) is created in the /cache folder. An unauthenticated attacker can then attempt to access such a file by sending a specific request to the device trying to guess the name of such a file. Successful exploitation will reveal configuration information.
This issue affects Juniper Networks Junos OS on SRX Series and EX Series:
* All versions earlier than 20.4R3-S9;
* 21.2 versions earlier than 21.2R3-S7;
* 21.3 versions earlier than 21.3R3-S5;
* 21.4 versions earlier than 21.4R3-S6;
* 22.1 versions earlier than 22.1R3-S5;
* 22.2 versions earlier than 22.2R3-S3;
* 22.3 versions earlier than 22.3R3-S2;
* 22.4 versions earlier than 22.4R3;
* 23.2 versions earlier than 23.2R1-S2, 23.2R2.
Affected (96)
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 20.4 |
| Running on/with | Platform Versions |
|---|---|
Juniper Ex2200 | All versions |
Juniper Ex2200 C | All versions |
Juniper Ex2200 Vc | All versions |
Juniper Ex2300 | All versions |
Juniper Ex2300 24mp | All versions |
Juniper Ex2300 24p | All versions |
Juniper Ex2300 24t | All versions |
Juniper Ex2300 48mp | All versions |
Juniper Ex2300 48p | All versions |
Juniper Ex2300 48t | All versions |
Juniper Ex2300 C | All versions |
Juniper Ex2300 Multigigabit | All versions |
Juniper Ex2300m | All versions |
Juniper Ex3200 | All versions |
Juniper Ex3300 | All versions |
Juniper Ex3300 Vc | All versions |
Juniper Ex3400 | All versions |
Juniper Ex4100 | All versions |
Juniper Ex4100 F | All versions |
Juniper Ex4100 Multigigabit | All versions |
Juniper Ex4200 | All versions |
Juniper Ex4200 Vc | All versions |
Juniper Ex4300 | All versions |
Juniper Ex4300 24p | All versions |
Juniper Ex4300 24p S | All versions |
Juniper Ex4300 24t | All versions |
Juniper Ex4300 24t S | All versions |
Juniper Ex4300 32f | All versions |
Juniper Ex4300 32f Dc | All versions |
Juniper Ex4300 32f S | All versions |
Juniper Ex4300 48mp | All versions |
Juniper Ex4300 48mp S | All versions |
Juniper Ex4300 48p | All versions |
Juniper Ex4300 48p S | All versions |
Juniper Ex4300 48t | All versions |
Juniper Ex4300 48t Afi | All versions |
Juniper Ex4300 48t Dc | All versions |
Juniper Ex4300 48t Dc Afi | All versions |
Juniper Ex4300 48t S | All versions |
Juniper Ex4300 48tafi | All versions |
Juniper Ex4300 48tdc | All versions |
Juniper Ex4300 48tdc Afi | All versions |
Juniper Ex4300 Mp | All versions |
Juniper Ex4300 Vc | All versions |
Juniper Ex4300 Multigigabit | All versions |
Juniper Ex4300m | All versions |
Juniper Ex4400 | All versions |
Juniper Ex4400 24x | All versions |
Juniper Ex4400 Multigigabit | All versions |
Juniper Ex4500 | All versions |
Juniper Ex4500 Vc | All versions |
Juniper Ex4550 | All versions |
Juniper Ex4550 Vc | All versions |
Juniper Ex4550/vc | All versions |
Juniper Ex4600 | All versions |
Juniper Ex4600 Vc | All versions |
Juniper Ex4650 | All versions |
Juniper Ex6200 | All versions |
Juniper Ex6210 | All versions |
Juniper Ex8200 | All versions |
Juniper Ex8200 Vc | All versions |
Juniper Ex8208 | All versions |
Juniper Ex8216 | All versions |
Juniper Ex9200 | All versions |
Juniper Ex9204 | All versions |
Juniper Ex9208 | All versions |
Juniper Ex9214 | All versions |
Juniper Ex9250 | All versions |
Juniper Ex9251 | All versions |
Juniper Ex9253 | All versions |
Juniper Ex Redundant Power System | All versions |
Juniper Ex Rps | All versions |
Juniper Srx100 | All versions |
Juniper Srx110 | All versions |
Juniper Srx1400 | All versions |
Juniper Srx1500 | All versions |
Juniper Srx1600 | All versions |
Juniper Srx210 | All versions |
Juniper Srx220 | All versions |
Juniper Srx2300 | All versions |
Juniper Srx240 | All versions |
Juniper Srx240h2 | All versions |
Juniper Srx240m | All versions |
Juniper Srx300 | All versions |
Juniper Srx320 | All versions |
Juniper Srx340 | All versions |
Juniper Srx3400 | All versions |
Juniper Srx345 | All versions |
Juniper Srx3600 | All versions |
Juniper Srx380 | All versions |
Juniper Srx4000 | All versions |
Juniper Srx4100 | All versions |
Juniper Srx4200 | All versions |
Juniper Srx4300 | All versions |
Juniper Srx4600 | All versions |
Juniper Srx4700 | All versions |
Juniper Srx5000 | All versions |
Juniper Srx5400 | All versions |
Juniper Srx550 | All versions |
Juniper Srx550 Hm | All versions |
Juniper Srx550m | All versions |
Juniper Srx5600 | All versions |
Juniper Srx5800 | All versions |
Juniper Srx650 | All versions |
Related CWEs
CWE-209
Generation of Error Message Containing Sensitive Information
The product generates an error message that includes sensitive information about its environment, users, or associated data.
CWE-306
Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
References (2)
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.