Vulnerabilities

CVE-2024-21620 Vulnerability in J-Web | Critical Insight

Written by Critical Insight | Jan 29, 2024 11:17:31 PM

This advisory is for organizations that use Juniper SRX Series firewalls and Juniper EX Series switches. If your organization does not use these products, this notification may be discarded.

Summary

Juniper Networks has released updates for the Juno OS for Juniper SRX Series and Juniper EX Series products to address several vulnerabilities, including a critical vulnerability which may allow an attacker to leverage Cross Site Scripting (XSS) to generate a URL which can be provided to another user to execute commands with the target’s permission level.

“An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives.”

CVE-2024-21620 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web

                CSVVv3.1: 8.8

Affected Platforms

The following Junos OS software releases have been updated:

 CVE-2024-21620: 20.4R3-S10*, 21.2R3-S8*, 21.4R3-S6*, 22.1R3-S5*, 22.2R3-S3*, 22.3R3-S2*, 22.4R3-S1*, 23.2R2*, 23.4R2*, and all subsequent releases. (* Pending Publication)

CVE-2024-21619: 20.4R3-S9, 21.2R3-S7*, 21.3R3-S5, 21.4R3-S6*, 22.1R3-S5*, 22.2R3-S3*, 22.3R3-S2*, 22.4R3*, 23.2R1-S2, 23.2R2*, 23.4R1, and all subsequent releases. (* Pending Publication)

Additional Resources

https://supportportal.juniper.net/s/article/2024-01-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-have-been-addressed?language=en_US

https://nvd.nist.gov/vuln/detail/CVE-2024-21620

https://cwe.mitre.org/data/definitions/79.html