Issued: Monday, 31 October, 2022 |
Last Revision: Monday, 31 October, 2022 |
Vendor: |
Product: |
Severity Level: |
Multiple High severity vulnerabilities have been identified in Juniper Networks devices which can be exploited to attain code execution. The J-Web is the main component of the Junos OS which is directly impacted by a remote preauthenticated PHP archive file deserialization vulnerability.
These vulnerabilities also could lead to unauthorized local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion .
| CVE/Vulnerability | Description | CVSS 3.1 Base Score | Exploitable |
| ||
| CVE-2022-22241 | An Improper Input Validation vulnerability in the J-Web | 8.1 | No |
| ||
| CVE-2022-22246 | PHP Local File Inclusion (LFI) Vulnerability allow a lowprivileged authenticated attacker to execute an untrusted PHP file. | 7.5 | No |
| ||
| CVE-2022-22242 | A Cross-site Scripting (XSS) vulnerability An unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web. | 6.1 | No |
| ||
Table 1: Vulnerability details
|
| |||
| CVE/Vulnerability | Product(s) Detail |
| |
| CVE-2022-22241 CVE-2022-22242 CVE-2022-22246 | All versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R3; 22.1 versions prior to 22.1R2.
|
| |
Table 2: Vulnerable versions
All entities must follow the Vendor recommendation, to update the latest version to mitigate these vulnerabilities.