Main Vulnerability Database Vulnerabilities #VU65371

OS Command Injection in Juniper Junos OS - CVE-2022-22221

Published: July 16, 2022

Vulnerability identifier: #VU65371

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-22221

CWE-ID: CWE-78

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Juniper Networks, Inc.

Affected software:
Juniper Junos OS

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the 'request system download ...' and 'show system download ...' commands. A local user can pass specially crafted data to the affected CLI commands and execute arbitrary OS commands on the target system with elevated privileges.

How to mitigate CVE-2022-22221

Install updates from vendor's website.

Sources

https://supportportal.juniper.net/s/article/2022-07-Security-Bulletin-Junos-OS-SRX-and-EX-Series-Local-privilege-escalation-flaw-in-download-functionality-CVE-2022-22221

OS Command Injection in Juniper Junos OS - CVE-2022-22221

Detailed vulnerability description

How to mitigate CVE-2022-22221

Sources

Please verify you're human