CVE-2021-31381 - OpenCVE

A configuration weakness in the JBoss Application Server (AppSvr) component of Juniper Networks SRC Series allows a remote attacker to send a specially crafted query to cause the web server to delete files which may allow the attacker to disrupt the integrity and availability of the system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Juniper	Session And Resource Control

Configuration 1 [-]

OR	cpe:2.3:a:juniper:session_and_resource_control::::::::
	cpe:2.3:a:juniper:session_and_resource_control::::::::

No data.

References

Link	Providers
https://kb.juniper.net/JSA11248

History

No history.

MITRE

Status: PUBLISHED

Assigner: juniper

Published: 2021-10-19T18:17:23.187566Z

Updated: 2024-09-16T17:08:17.626Z

Reserved: 2021-04-15T00:00:00

Link: CVE-2021-31381

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-19T19:15:11.193

Modified: 2021-10-26T16:51:22.153

Link: CVE-2021-31381

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SRC Series", "vendor": "Juniper Networks", "versions": [{"lessThan": "4.12.0R5", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "4.13.0R3", "status": "affected", "version": "4.13.0", "versionType": "custom"}]}], "datePublic": "2021-10-13T00:00:00", "descriptions": [{"lang": "en", "value": "A configuration weakness in the JBoss Application Server (AppSvr) component of Juniper Networks SRC Series allows a remote attacker to send a specially crafted query to cause the web server to delete files which may allow the attacker to disrupt the integrity and availability of the system."}], "exploits": [{"lang": "en", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-16", "description": "CWE-16 Configuration", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-19T18:17:23", "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "shortName": "juniper"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://kb.juniper.net/JSA11248"}], "solutions": [{"lang": "en", "value": "The following software releases have been updated to resolve this specific issue: 4.12.0R5, 4.13.0R3, and all subsequent releases."}], "source": {"advisory": "JSA11248", "defect": ["1487223"], "discovery": "USER"}, "title": "SRC Series: A remote attacker sending a specially crafted query may cause the web server to delete files", "workarounds": [{"lang": "en", "value": "There are no viable workarounds for this issue.\n\nTo reduce the risk of exploitation utilize common security BCPs to limit the exploitable surface by limiting access to network and device to trusted systems, administrators, networks and hosts."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "sirt@juniper.net", "DATE_PUBLIC": "2021-10-13T16:00:00.000Z", "ID": "CVE-2021-31381", "STATE": "PUBLIC", "TITLE": "SRC Series: A remote attacker sending a specially crafted query may cause the web server to delete files"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SRC Series", "version": {"version_data": [{"version_affected": "<", "version_value": "4.12.0R5"}, {"version_affected": "<", "version_name": "4.13.0", "version_value": "4.13.0R3"}]}}]}, "vendor_name": "Juniper Networks"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A configuration weakness in the JBoss Application Server (AppSvr) component of Juniper Networks SRC Series allows a remote attacker to send a specially crafted query to cause the web server to delete files which may allow the attacker to disrupt the integrity and availability of the system."}]}, "exploit": [{"lang": "en", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-16 Configuration"}]}, {"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://kb.juniper.net/JSA11248", "refsource": "CONFIRM", "url": "https://kb.juniper.net/JSA11248"}]}, "solution": [{"lang": "en", "value": "The following software releases have been updated to resolve this specific issue: 4.12.0R5, 4.13.0R3, and all subsequent releases."}], "source": {"advisory": "JSA11248", "defect": ["1487223"], "discovery": "USER"}, "work_around": [{"lang": "en", "value": "There are no viable workarounds for this issue.\n\nTo reduce the risk of exploitation utilize common security BCPs to limit the exploitable surface by limiting access to network and device to trusted systems, administrators, networks and hosts."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:55:53.895Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kb.juniper.net/JSA11248"}]}]}, "cveMetadata": {"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "assignerShortName": "juniper", "cveId": "CVE-2021-31381", "datePublished": "2021-10-19T18:17:23.187566Z", "dateReserved": "2021-04-15T00:00:00", "dateUpdated": "2024-09-16T17:08:17.626Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:juniper:session_and_resource_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B3DEF7F-E8BF-4BB8-9989-8D4CFAE5539A", "versionEndExcluding": "4.12.0r5", "vulnerable": true}, {"criteria": "cpe:2.3:a:juniper:session_and_resource_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "0478F1B6-0A80-4CE2-9AF5-251A02BBAC5F", "versionEndExcluding": "4.13.0r3", "versionStartIncluding": "4.13.0r1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A configuration weakness in the JBoss Application Server (AppSvr) component of Juniper Networks SRC Series allows a remote attacker to send a specially crafted query to cause the web server to delete files which may allow the attacker to disrupt the integrity and availability of the system."}, {"lang": "es", "value": "Una debilidad de configuraci\u00f3n en el componente JBoss Application Server (AppSvr) de Juniper Networks SRC Series permite a un atacante remoto enviar una consulta especialmente dise\u00f1ada para causar que el servidor web elimine archivos, lo que puede permitir al atacante interrumpir la integridad y disponibilidad del sistema"}], "id": "CVE-2021-31381", "lastModified": "2021-10-26T16:51:22.153", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "sirt@juniper.net", "type": "Secondary"}]}, "published": "2021-10-19T19:15:11.193", "references": [{"source": "sirt@juniper.net", "tags": ["Patch", "Vendor Advisory"], "url": "https://kb.juniper.net/JSA11248"}], "sourceIdentifier": "sirt@juniper.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-16"}, {"lang": "en", "value": "CWE-200"}], "source": "sirt@juniper.net", "type": "Secondary"}]}