CVE-2013-4689

J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1R before 12.1R6, 12.1X44 before 12.1X44-D15, 12.1x45 before 12.1X45-D10, 12.2 before 12.2R3, 12.3 before 12.3R2, and 13.1 before 13.1R3 allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism and hijack the authentication of administrators for requests that (1) create new administrator accounts or (2) have other unspecified impacts.

CVSS v2.0 5.1 MEDIUM

5.1^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:P

Exploitability : 4.9 / Impact : 6.4

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/62940
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10597	Vendor Advisory
http://osvdb.org/98325
http://secunia.com/advisories/55166	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:juniper:junos:4.1:::::::*
	cpe:2.3:o:juniper:junos:4.2:::::::*
	cpe:2.3:o:juniper:junos:4.3:::::::*
	cpe:2.3:o:juniper:junos:4.4:::::::*
	cpe:2.3:o:juniper:junos:7.0:::::::*
	cpe:2.3:o:juniper:junos:7.1:::::::*
	cpe:2.3:o:juniper:junos:7.2:::::::*
	cpe:2.3:o:juniper:junos:7.3:::::::*
	cpe:2.3:o:juniper:junos:9.6:::::::*
	cpe:2.3:o:juniper:junos::::::::
	cpe:2.3:o:juniper:junos:13.1:::::::*
	cpe:2.3:o:juniper:junos:5.5:::::::*
	cpe:2.3:o:juniper:junos:8.2:::::::*
	cpe:2.3:o:juniper:junos:9.4:::::::*
	cpe:2.3:o:juniper:junos:7.6:::::::*
	cpe:2.3:o:juniper:junos:7.4:::::::*
	cpe:2.3:o:juniper:junos:8.1:::::::*
	cpe:2.3:o:juniper:junos:6.4:::::::*
	cpe:2.3:o:juniper:junos:8.3:::::::*
	cpe:2.3:o:juniper:junos:12.1:::::::*
	cpe:2.3:o:juniper:junos:5.7:::::::*
	cpe:2.3:o:juniper:junos:12.1x45:::::::*
	cpe:2.3:o:juniper:junos:11.4:::::::*
	cpe:2.3:o:juniper:junos:6.0:::::::*
	cpe:2.3:o:juniper:junos:5.3:::::::*
	cpe:2.3:o:juniper:junos:12.3:::::::*
	cpe:2.3:o:juniper:junos:8.4:::::::*
	cpe:2.3:o:juniper:junos:12.2:::::::*
	cpe:2.3:o:juniper:junos:12.1x44:::::::*
	cpe:2.3:o:juniper:junos:5.6:::::::*
	cpe:2.3:o:juniper:junos:9.1:::::::*
	cpe:2.3:o:juniper:junos:5.1:::::::*
	cpe:2.3:o:juniper:junos:6.2:::::::*
	cpe:2.3:o:juniper:junos:8.0:::::::*
	cpe:2.3:o:juniper:junos:5.0:::::::*
	cpe:2.3:o:juniper:junos:5.2:::::::*
	cpe:2.3:o:juniper:junos:6.1:::::::*
	cpe:2.3:o:juniper:junos:9.5:::::::*
	cpe:2.3:o:juniper:junos:9.0:::::::*
	cpe:2.3:o:juniper:junos:5.4:::::::*
	cpe:2.3:o:juniper:junos:7.5:::::::*
	cpe:2.3:o:juniper:junos:9.2:::::::*
	cpe:2.3:o:juniper:junos:6.3:::::::*
	cpe:2.3:o:juniper:junos:4.0:::::::*

Information

Published : 2013-10-17 16:55

Updated : 2013-10-25 10:04

NVD link : CVE-2013-4689

Mitre link : CVE-2013-4689

JSON object : View

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

Products Affected

juniper

junos

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.securityfocus.com/bid/62940", "name": "62940", "tags": [], "refsource": "BID"}, {"url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10597", "name": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10597", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://osvdb.org/98325", "name": "98325", "tags": [], "refsource": "OSVDB"}, {"url": "http://secunia.com/advisories/55166", "name": "55166", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1R before 12.1R6, 12.1X44 before 12.1X44-D15, 12.1x45 before 12.1X45-D10, 12.2 before 12.2R3, 12.3 before 12.3R2, and 13.1 before 13.1R3 allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism and hijack the authentication of administrators for requests that (1) create new administrator accounts or (2) have other unspecified impacts."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-352"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-4689", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.1, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2013-10-17T23:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:juniper:junos:4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:4.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:4.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:7.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:7.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:7.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:9.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "10.4"}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:13.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:5.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:8.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:9.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:7.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:7.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:8.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:6.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:8.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:12.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:5.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:12.1x45:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:11.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:5.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:12.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:8.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:12.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:12.1x44:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:5.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:9.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:6.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:5.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:6.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:9.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:5.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:7.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:9.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:6.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos:4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2013-10-25T17:04Z"}

5.1 /10