CVE-2024-39565

EUVD-2024-38090

10.07.2024, 23:15

An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target device. 

While an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user's credentials. In the worst case, the attacker will have full control over the device.
This issue affects Junos OS: 



  *  All versions before 21.2R3-S8, 
  *  from 21.4 before 21.4R3-S7,
  *  from 22.2 before 22.2R3-S4,
  *  from 22.3 before 22.3R3-S3,
  *  from 22.4 before 22.4R3-S2,
  *  from 23.2 before 23.2R2,
  *  from 23.4 before 23.4R1-S1, 23.4R2.

XPath Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 70%

Affected Products (NVD)

Vendor	Product	Version
juniper	j-web	-
juniper	junos	𝑥 < 21.2
juniper	junos	21.2
juniper	junos	21.2:r1
juniper	junos	21.2:r1-s1
juniper	junos	21.2:r1-s2
juniper	junos	21.2:r2
juniper	junos	21.2:r2-s1
juniper	junos	21.2:r2-s2
juniper	junos	21.2:r3
juniper	junos	21.2:r3-s1
juniper	junos	21.2:r3-s2
juniper	junos	21.2:r3-s3
juniper	junos	21.2:r3-s4
juniper	junos	21.2:r3-s5
juniper	junos	21.2:r3-s6
juniper	junos	21.2:r3-s7
juniper	junos	21.4
juniper	junos	21.4:r1
juniper	junos	21.4:r1-s1
juniper	junos	21.4:r1-s2
juniper	junos	21.4:r2
juniper	junos	21.4:r2-s1
juniper	junos	21.4:r2-s2
juniper	junos	21.4:r3
juniper	junos	21.4:r3-s1
juniper	junos	21.4:r3-s2
juniper	junos	21.4:r3-s3
juniper	junos	21.4:r3-s4
juniper	junos	21.4:r3-s5
juniper	junos	21.4:r3-s6
juniper	junos	22.2
juniper	junos	22.2:r1
juniper	junos	22.2:r1-s1
juniper	junos	22.2:r1-s2
juniper	junos	22.2:r2
juniper	junos	22.2:r2-s1
juniper	junos	22.2:r2-s2
juniper	junos	22.2:r3
juniper	junos	22.2:r3-s1
juniper	junos	22.2:r3-s2
juniper	junos	22.2:r3-s3
juniper	junos	22.3
juniper	junos	22.3:r1
juniper	junos	22.3:r1-s1
juniper	junos	22.3:r1-s2
juniper	junos	22.3:r2
juniper	junos	22.3:r2-s1
juniper	junos	22.3:r2-s2
juniper	junos	22.3:r3
juniper	junos	22.3:r3-s1
juniper	junos	22.3:r3-s2
juniper	junos	22.4
juniper	junos	22.4:r1
juniper	junos	22.4:r1-s1
juniper	junos	22.4:r1-s2
juniper	junos	22.4:r2
juniper	junos	22.4:r2-s1
juniper	junos	22.4:r2-s2
juniper	junos	22.4:r3
juniper	junos	22.4:r3-s1
juniper	junos	23.2
juniper	junos	23.2:r1
juniper	junos	23.2:r1-s1
juniper	junos	23.2:r1-s2
juniper	junos	23.4
juniper	junos	23.4:r1
juniper	junos	23.4:r2

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
juniper	junos_os	𝑥 < 21.2r3-s8	ADP
juniper	junos_os	23.4 ≤ 𝑥 < 23.4r1-s1	ADP
juniper	junos_os	23.4 ≤ 𝑥 < 23.4r2	ADP
juniper	junos_os	21.4 ≤ 𝑥 < 21.4r3-s7	ADP
juniper	junos_os	22.2 ≤ 𝑥 < 22.2r3-s4	ADP
juniper	junos_os	22.3 ≤ 𝑥 < 22.3r3-s3	ADP
juniper	junos_os	22.4 ≤ 𝑥 < 22.4r3-s2	ADP
juniper	junos_os	23.2 ≤ 𝑥 < 23.2r2	ADP

Common Weakness Enumeration

CWE-643 - Improper Neutralization of Data within XPath Expressions ('XPath Injection')
The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

References

https://support.juniper.net/support/downloads/?p=283

https://supportportal.juniper.net/JSA83023

https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/R:I/V:C/RE:L/U:Amber

https://support.juniper.net/support/downloads/?p=283

https://supportportal.juniper.net/JSA83023

https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/R:I/V:C/RE:L/U:Amber