Lucene search

JuniperCVE-2021-0296

HistoryOct 19, 2021 - 7:15 p.m.

CVE-2021-0296

2021-10-1919:15:08

CWE-319

juniper

web.nvd.nist.gov

juniper networks

ctpview

http strict transport security

hsts

downgrade attacks

ssl-stripping

cookie hijacking

vulnerability

cve-2021-0296

nvd

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

48.0%

JSON

The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header which allows servers to indicate that content from the requested domain will only be served over HTTPS. The lack of HSTS may leave the system vulnerable to downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. This issue affects Juniper Networks CTPView: 7.3 versions prior to 7.3R7; 9.1 versions prior to 9.1R3.

Affected configurations

Nvd

Node

juniperctpviewMatch7.3r1

juniperctpviewMatch7.3r2

juniperctpviewMatch7.3r3

juniperctpviewMatch7.3r4

juniperctpviewMatch7.3r5

juniperctpviewMatch7.3r6

juniperctpviewMatch9.1r1

juniperctpviewMatch9.1r2

VendorProductVersionCPE
juniperctpview7.3cpe:2.3:a:juniper:ctpview:7.3:r1:*:*:*:*:*:*
juniperctpview7.3cpe:2.3:a:juniper:ctpview:7.3:r2:*:*:*:*:*:*
juniperctpview7.3cpe:2.3:a:juniper:ctpview:7.3:r3:*:*:*:*:*:*
juniperctpview7.3cpe:2.3:a:juniper:ctpview:7.3:r4:*:*:*:*:*:*
juniperctpview7.3cpe:2.3:a:juniper:ctpview:7.3:r5:*:*:*:*:*:*
juniperctpview7.3cpe:2.3:a:juniper:ctpview:7.3:r6:*:*:*:*:*:*
juniperctpview9.1cpe:2.3:a:juniper:ctpview:9.1:r1:*:*:*:*:*:*
juniperctpview9.1cpe:2.3:a:juniper:ctpview:9.1:r2:*:*:*:*:*:*

Vendor	Product	Version	CPE
juniper	ctpview	7.3	cpe:2.3:a:juniper:ctpview:7.3:r1::::::
juniper	ctpview	7.3	cpe:2.3:a:juniper:ctpview:7.3:r2::::::
juniper	ctpview	7.3	cpe:2.3:a:juniper:ctpview:7.3:r3::::::
juniper	ctpview	7.3	cpe:2.3:a:juniper:ctpview:7.3:r4::::::
juniper	ctpview	7.3	cpe:2.3:a:juniper:ctpview:7.3:r5::::::
juniper	ctpview	7.3	cpe:2.3:a:juniper:ctpview:7.3:r6::::::
juniper	ctpview	9.1	cpe:2.3:a:juniper:ctpview:9.1:r1::::::
juniper	ctpview	9.1	cpe:2.3:a:juniper:ctpview:9.1:r2::::::

CNA Affected

[
  {
    "product": "CTPView",
    "vendor": "Juniper Networks",
    "versions": [
      {
        "lessThan": "7.3R7",
        "status": "affected",
        "version": "7.3",
        "versionType": "custom"
      },
      {
        "lessThan": "9.1R3",
        "status": "affected",
        "version": "9.1",
        "versionType": "custom"
      }
    ]
  }
]

References

kb.juniper.net/JSA11210

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

48.0%

JSON

Related for CVE-2021-0296