Information disclosure in Junos OS J-Web

Published: 2016-06-22 | Updated: 2025-06-28

Risk	Critical
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2016-1279
CWE-ID	CWE-200
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Juniper Junos OS Operating systems & Components / Operating system
Vendor	Juniper Networks, Inc.

Security Bulletin

This security bulletin contains one critical risk vulnerability.

1) J-Web information leak in Juniper Junos

EUVDB-ID: #VU142

Risk: Critical

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red]

CVE-ID: CVE-2016-1279

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due information disclosure in J-Web interface. A remote non-authenticated attacker can gain administrative privileges or perform certain administrative actions on the device.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Juniper Junos OS: before 12.1X46-D45, 12.1X46-D46, 12.1X46-D51, 12.1X47-D35, 12.3X48-D25, 12.3R12, 13.3R9-S1, 13.3R10, 14.1X53-D35, 14.1R7, 14.2R6, 15.1X49-D30, 15.1R3, 15.1F4, 15.1A2

CPE2.3

cpe:2.3:o:juniper_networks:juniper_junos_os:*:*:*:*:*:*:*:*

External links

https://supportportal.juniper.net/s/article/2016-07-Security-Bulletin-Junos-J-Web-Privilege-Escalation-due-to-information-leak-CVE-2016-1279

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.