Main Vulnerability Database SB2024071554

SB2024071554 - XPath injection in Junos OS J-Web

Published: July 15, 2024

Security Bulletin ID SB2024071554

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper neutralization of data within xpath expressions (CVE-ID: CVE-2024-39565)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of data within xpath expressions. While an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user's credentials.

Remediation

Install update from vendor's website.

References

https://supportportal.juniper.net/s/article/2024-07-Security-Bulletin-Junos-OS-SRX-Series-EX-Series-J-Web-An-unauthenticated-network-based-attacker-can-perform-XPATH-injection-attack-against-a-device-CVE-2024-39565