fkie_cve-2022-22152
Vulnerability from fkie_nvd
Published
2022-01-19 01:15
Modified
2024-11-21 06:46
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system. By utilizing the REST API, one tenant is able to obtain information on another tenant's firewall configuration and access control policies, as well as other sensitive information, exposing the tenant to reduced defense against malicious attacks or exploitation via additional undetermined vulnerabilities. This issue affects Juniper Networks Contrail Service Orchestration versions prior to 6.1.0 Patch 3.
References
sirt@juniper.nethttps://kb.juniper.net/JSA11260Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://kb.juniper.net/JSA11260Vendor Advisory
Impacted products
Vendor Product Version
juniper contrail_service_orchestration *
juniper contrail_service_orchestration 6.1.0
juniper contrail_service_orchestration 6.1.0
juniper contrail_service_orchestration 6.1.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:juniper:contrail_service_orchestration:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1F69DEF1-CFB2-4FDD-9729-965DAA400F9F",
              "versionEndIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:juniper:contrail_service_orchestration:6.1.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "9DD57602-86B0-4FAD-837A-1B47835E15CD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:juniper:contrail_service_orchestration:6.1.0:patch1:*:*:*:*:*:*",
              "matchCriteriaId": "23D03743-51A8-4D38-BFAF-A5348F5F8C81",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:juniper:contrail_service_orchestration:6.1.0:patch2:*:*:*:*:*:*",
              "matchCriteriaId": "90A465C5-9FFA-4FDE-BD98-B95611F4ED1F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system. By utilizing the REST API, one tenant is able to obtain information on another tenant\u0027s firewall configuration and access control policies, as well as other sensitive information, exposing the tenant to reduced defense against malicious attacks or exploitation via additional undetermined vulnerabilities. This issue affects Juniper Networks Contrail Service Orchestration versions prior to 6.1.0 Patch 3."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de Fallo del Mecanismo de Protecci\u00f3n en la API REST de Juniper Networks Contrail Service Orchestration permite a un arrendatario del sistema visualizar detalles de configuraci\u00f3n confidenciales de otro arrendatario del mismo sistema. Al usar la API REST, un inquilino puede obtener informaci\u00f3n sobre la configuraci\u00f3n del firewall y las pol\u00edticas de control de acceso de otro inquilino, as\u00ed como otra informaci\u00f3n confidencial, exponiendo al inquilino a una defensa reducida contra ataques maliciosos o a la explotaci\u00f3n por medio de vulnerabilidades adicionales no determinadas. Este problema afecta a versiones de Juniper Networks Contrail Service Orchestration anteriores a 6.1.0 Patch 3"
    }
  ],
  "id": "CVE-2022-22152",
  "lastModified": "2024-11-21T06:46:15.810",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 4.0,
        "source": "sirt@juniper.net",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-01-19T01:15:08.133",
  "references": [
    {
      "source": "sirt@juniper.net",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://kb.juniper.net/JSA11260"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://kb.juniper.net/JSA11260"
    }
  ],
  "sourceIdentifier": "sirt@juniper.net",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-693"
        }
      ],
      "source": "sirt@juniper.net",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.