Improper access control in Juniper Networks Contrail Service Orchestration



Published: 2022-01-17
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-22152
CWE-ID CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Juniper Networks Contrail Service Orchestration
Server applications / DLP, anti-spam, sniffers

Vendor

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Improper access control

EUVDB-ID: #VU59637

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22152

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the REST API. A remote authenticated user can view confidential configuration details of another tenant on the same system. By utilizing the REST API, one tenant is able to obtain information on another tenant's firewall configuration and access control policies, as well as other sensitive information, exposing the tenant to reduced defense against malicious attacks or exploitation via additional undetermined vulnerabilities.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Juniper Networks Contrail Service Orchestration: before 6.2.0

External links

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11260&cat=SIRT_1&actp=LIST


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###