CVE-2024-21589

Опубликовано: 12 янв. 2024

Источник: nvd

CVSS3: 7.4

CVSS3: 7.5

EPSS Низкий

Описание

A feature was introduced in version 3.1.0 of the Paragon Active Assurance Control Center which allows users to selectively share account data. By exploiting this vulnerability, it is possible to access reports without being logged in, resulting in the opportunity for malicious exfiltration of user data.

Note that the Paragon Active Assurance Control Center SaaS offering is not affected by this issue.

This issue affects Juniper Networks Paragon Active Assurance versions 3.1.0, 3.2.0, 3.2.2, 3.3.0, 3.3.1, 3.4.0.

This issue does not affect Juniper Networks Paragon Active Assurance versions earlier than 3.1.0.

Ссылки

https://supportportal.juniper.net/JSA75727
Vendor Advisory
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Third Party Advisory
https://supportportal.juniper.net/JSA75727
Vendor Advisory
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:juniper:paragon_active_assurance_control_center:3.1.0:*:*:*:*:*:*:*

cpe:2.3:a:juniper:paragon_active_assurance_control_center:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:juniper:paragon_active_assurance_control_center:3.2.2:*:*:*:*:*:*:*

cpe:2.3:a:juniper:paragon_active_assurance_control_center:3.3.0:*:*:*:*:*:*:*

cpe:2.3:a:juniper:paragon_active_assurance_control_center:3.3.1:*:*:*:*:*:*:*

cpe:2.3:a:juniper:paragon_active_assurance_control_center:3.4.0:*:*:*:*:*:*:*

EPSS

Процентиль: 39%

0.00178

Низкий

7.4 High

CVSS3

7.5 High

CVSS3

Дефекты

CWE-284

NVD-CWE-Other

Связанные уязвимости

GHSA-c9hp-xj9x-p4wm

CVSS3: 7.4

github

около 2 лет назад

An Improper Access Control vulnerability in the Juniper Networks Paragon Active Assurance Control Center allows an unauthenticated network-based attacker to access reports without authenticating, potentially containing sensitive configuration information. A feature was introduced in version 3.1.0 of the Paragon Active Assurance Control Center which allows users to selectively share account data. By exploiting this vulnerability, it is possible to access reports without being logged in, resulting in the opportunity for malicious exfiltration of user data. Note that the Paragon Active Assurance Control Center SaaS offering is not affected by this issue. This issue affects Juniper Networks Paragon Active Assurance versions 3.1.0, 3.2.0, 3.2.2, 3.3.0, 3.3.1, 3.4.0. This issue does not affect Juniper Networks Paragon Active Assurance versions earlier than 3.1.0.

BDU:2024-00455

CVSS3: 7.4

fstec

около 2 лет назад

Уязвимость компонента Report Handler платформы тестирования и мониторинга физических, гибридных и виртуальных сетей Paragon Active Assurance (ранее известная как Netrounds), позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 39%

0.00178

Низкий

7.4 High

CVSS3

7.5 High

CVSS3

Дефекты

CWE-284

NVD-CWE-Other