This advisory is for organizations that use Juniper SRX Series firewalls and Juniper EX Series switches. If your organization does not use these products, this notification may be discarded.
Summary
Juniper Networks has released updates for the Juno OS for Juniper SRX Series and Juniper EX Series products to address several vulnerabilities, including a critical vulnerability which may allow an attacker to leverage Cross Site Scripting (XSS) to generate a URL which can be provided to another user to execute commands with the target’s permission level.
“An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives.”
CVE-2024-21620 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web
CSVVv3.1: 8.8
Affected Platforms
The following Junos OS software releases have been updated:
CVE-2024-21620: 20.4R3-S10*, 21.2R3-S8*, 21.4R3-S6*, 22.1R3-S5*, 22.2R3-S3*, 22.3R3-S2*, 22.4R3-S1*, 23.2R2*, 23.4R2*, and all subsequent releases. (* Pending Publication)
CVE-2024-21619: 20.4R3-S9, 21.2R3-S7*, 21.3R3-S5, 21.4R3-S6*, 22.1R3-S5*, 22.2R3-S3*, 22.3R3-S2*, 22.4R3*, 23.2R1-S2, 23.2R2*, 23.4R1, and all subsequent releases. (* Pending Publication)
Additional Resources
https://supportportal.juniper.net/s/article/2024-01-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-have-been-addressed?language=en_US
https://nvd.nist.gov/vuln/detail/CVE-2024-21620
https://cwe.mitre.org/data/definitions/79.html
