CVE-2024-2973

27.06.2024, 21:15

An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device.
Only routers or conductors that are running in high-availability redundant configurations are affected by this vulnerability.




No other Juniper Networks products or platforms are affected by this issue.





This issue affects:

Session Smart Router:



  *  All versions before 5.6.15,
  *  from 6.0 before 6.1.9-lts,
  *  from 6.2 before 6.2.5-sts.



Session Smart Conductor:



  *  All versions before 5.6.15,
  *  from 6.0 before 6.1.9-lts,
  *  from 6.2 before 6.2.5-sts.



WAN Assurance Router:



  *  6.0 versions before 6.1.9-lts,
  *  6.2 versions before 6.2.5-sts.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
juniper	CNA	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 44%

Common Weakness Enumeration

CWE-288 - Authentication Bypass Using an Alternate Path or Channel
A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References

https://support.juniper.net/support/eol/software/ssr/

https://supportportal.juniper.net/JSA83126

https://support.juniper.net/support/eol/software/ssr/

https://supportportal.juniper.net/JSA83126