"value":"This issue can only be exploited if J-Web is configured for example with:\n\n [system services web-management http]\n\nor\n\n [system services web-management https]"
}
],
"credit":[
{
"lang":"eng",
"value":"The Juniper SIRT would like to acknowledge and thank Andy Coles of Microsoft MSRC Vulnerabilities and Mitigations Team for responsibly reporting this issue."
"value":"A Generation of Error Message Containing Sensitive Information vulnerability in the CLI of Juniper Networks Junos OS allows a locally authenticated attacker with low privileges to elevate these to the level of any other user logged in via J-Web at this time, potential leading to a full compromise of the device. This issue affects Juniper Networks Junos OS: All versions prior to 15.1R7-S11; 18.3 versions prior to 18.3R3-S6; 18.4 versions prior to 18.4R2-S9, 18.4R3-S10; 19.1 versions prior to 19.1R2-S3, 19.1R3-S7; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3-S1; 21.1 versions prior to 21.1R2-S1, 21.1R3; 21.2 versions prior to 21.2R1-S1, 21.2R2."
"value":"The following software releases have been updated to resolve this specific issue: 15.1R7-S11, 18.3R3-S6, 18.4R2-S9, 18.4R3-S10, 19.1R2-S3, 19.1R3-S7, 19.2R1-S8, 19.2R3-S4, 19.3R3-S4, 19.4R3-S6, 20.1R3-S2, 20.2R3-S3, 20.3R3-S1, 20.4R3-S1, 21.1R2-S1, 21.1R3, 21.2R1-S1, 21.2R2, 21.3R1, and all subsequent releases."
}
],
"source":{
"advisory":"JSA11270",
"defect":[
"1593200"
],
"discovery":"EXTERNAL"
},
"work_around":[
{
"lang":"eng",
"value":"There are no viable workarounds for this issue other than disabling J-Web.\n\nTo reduce the risk of exploitation of this issue, use access lists or firewall filters to limit access to only trusted administrative networks, hosts and users."
