CVE-2022-22244

18.10.2022, 03:15

An XPath Injection vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker sending a crafted POST to reach the XPath channel, which may allow chaining to other unspecified vulnerabilities, leading to a partial loss of confidentiality. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S3; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2; 22.1 versions prior to 22.1R1-S1, 22.1R2.

aka Blind XPath Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
juniper	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 70%

Vendor	Product	Version
juniper	junos	𝑥 < 19.1
juniper	junos	19.1
juniper	junos	19.1:r1
juniper	junos	19.1:r1-s1
juniper	junos	19.1:r1-s2
juniper	junos	19.1:r1-s3
juniper	junos	19.1:r1-s4
juniper	junos	19.1:r1-s5
juniper	junos	19.1:r1-s6
juniper	junos	19.1:r2
juniper	junos	19.1:r2-s1
juniper	junos	19.1:r2-s2
juniper	junos	19.1:r2-s3
juniper	junos	19.1:r3
juniper	junos	19.1:r3-s1
juniper	junos	19.1:r3-s2
juniper	junos	19.1:r3-s3
juniper	junos	19.1:r3-s4
juniper	junos	19.1:r3-s5
juniper	junos	19.1:r3-s6
juniper	junos	19.1:r3-s7
juniper	junos	19.1:r3-s8
juniper	junos	19.2
juniper	junos	19.2:r1
juniper	junos	19.2:r1-s1
juniper	junos	19.2:r1-s2
juniper	junos	19.2:r1-s3
juniper	junos	19.2:r1-s4
juniper	junos	19.2:r1-s5
juniper	junos	19.2:r1-s6
juniper	junos	19.2:r1-s7
juniper	junos	19.2:r1-s8
juniper	junos	19.2:r1-s9
juniper	junos	19.2:r2
juniper	junos	19.2:r2-s1
juniper	junos	19.2:r3
juniper	junos	19.2:r3-s1
juniper	junos	19.2:r3-s2
juniper	junos	19.2:r3-s3
juniper	junos	19.2:r3-s4
juniper	junos	19.2:r3-s5
juniper	junos	19.3
juniper	junos	19.3:r1
juniper	junos	19.3:r1-s1
juniper	junos	19.3:r2
juniper	junos	19.3:r2-s1
juniper	junos	19.3:r2-s2
juniper	junos	19.3:r2-s3
juniper	junos	19.3:r2-s4
juniper	junos	19.3:r2-s5
juniper	junos	19.3:r2-s6
juniper	junos	19.3:r3
juniper	junos	19.3:r3-s1
juniper	junos	19.3:r3-s2
juniper	junos	19.3:r3-s3
juniper	junos	19.3:r3-s4
juniper	junos	19.3:r3-s5
juniper	junos	19.3:r3-s6
juniper	junos	19.4
juniper	junos	19.4:r1
juniper	junos	19.4:r1-s1
juniper	junos	19.4:r1-s2
juniper	junos	19.4:r1-s3
juniper	junos	19.4:r1-s4
juniper	junos	19.4:r2
juniper	junos	19.4:r2-s1
juniper	junos	19.4:r2-s2
juniper	junos	19.4:r2-s3
juniper	junos	19.4:r2-s4
juniper	junos	19.4:r2-s5
juniper	junos	19.4:r2-s6
juniper	junos	19.4:r3
juniper	junos	19.4:r3-s1
juniper	junos	19.4:r3-s2
juniper	junos	19.4:r3-s3
juniper	junos	19.4:r3-s4
juniper	junos	19.4:r3-s5
juniper	junos	19.4:r3-s6
juniper	junos	19.4:r3-s7
juniper	junos	19.4:r3-s8
juniper	junos	20.1
juniper	junos	20.1:r1
juniper	junos	20.1:r1-s1
juniper	junos	20.1:r1-s2
juniper	junos	20.1:r1-s3
juniper	junos	20.1:r1-s4
juniper	junos	20.1:r2
juniper	junos	20.1:r2-s1
juniper	junos	20.1:r2-s2
juniper	junos	20.1:r3
juniper	junos	20.1:r3-s1
juniper	junos	20.1:r3-s2
juniper	junos	20.1:r3-s3
juniper	junos	20.1:r3-s4
juniper	junos	20.2
juniper	junos	20.2:r1
juniper	junos	20.2:r1-s1
juniper	junos	20.2:r1-s2
juniper	junos	20.2:r1-s3
juniper	junos	20.2:r2
juniper	junos	20.2:r2-s1
juniper	junos	20.2:r2-s2
juniper	junos	20.2:r2-s3
juniper	junos	20.2:r3
juniper	junos	20.2:r3-s1
juniper	junos	20.2:r3-s2
juniper	junos	20.2:r3-s3
juniper	junos	20.2:r3-s4
juniper	junos	20.3
juniper	junos	20.3:r1
juniper	junos	20.3:r1-s1
juniper	junos	20.3:r1-s2
juniper	junos	20.3:r2
juniper	junos	20.3:r2-s1
juniper	junos	20.3:r3
juniper	junos	20.3:r3-s1
juniper	junos	20.3:r3-s2
juniper	junos	20.3:r3-s3
juniper	junos	20.3:r3-s4
juniper	junos	20.4
juniper	junos	20.4:r1
juniper	junos	20.4:r1-s1
juniper	junos	20.4:r2
juniper	junos	20.4:r2-s1
juniper	junos	20.4:r2-s2
juniper	junos	20.4:r3
juniper	junos	20.4:r3-s1
juniper	junos	20.4:r3-s2
juniper	junos	20.4:r3-s3
juniper	junos	21.1
juniper	junos	21.1:r1
juniper	junos	21.1:r1-s1
juniper	junos	21.1:r2
juniper	junos	21.1:r2-s1
juniper	junos	21.1:r2-s2
juniper	junos	21.1:r3
juniper	junos	21.1:r3-s1
juniper	junos	21.2
juniper	junos	21.2:r1
juniper	junos	21.2:r1-s1
juniper	junos	21.2:r1-s2
juniper	junos	21.2:r2
juniper	junos	21.2:r2-s1
juniper	junos	21.2:r2-s2
juniper	junos	21.2:r3
juniper	junos	21.3
juniper	junos	21.3:r1
juniper	junos	21.3:r1-s1
juniper	junos	21.3:r1-s2
juniper	junos	21.3:r2
juniper	junos	21.3:r2-s1
juniper	junos	21.3:r2-s2
juniper	junos	21.4
juniper	junos	21.4:r1
juniper	junos	21.4:r1-s1
juniper	junos	21.4:r1-s2
juniper	junos	21.4:r2
juniper	junos	21.4:r2-s1
juniper	junos	22.1:r1
juniper	junos	22.1:r1-s1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-91 - XML Injection (aka Blind XPath Injection)
The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

References

https://kb.juniper.net/JSA69899