Cyber Resilience

CVE-2021-31386

Medium

Published: 19 October 2021

Published
19 October 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0015 35.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-31386 is a medium-severity Channel Accessible by Non-Endpoint (CWE-300) vulnerability in Juniper Junos. Its CVSS base score is 5.3 (Medium).

Operationally, ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A Protection Mechanism Failure vulnerability in the J-Web HTTP service of Juniper Networks Junos OS allows a remote unauthenticated attacker to perform Person-in-the-Middle (PitM) attacks against the device. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S20;…

more

15.1 versions prior to 15.1R7-S11; 18.3 versions prior to 18.3R3-S6; 18.4 versions prior to 18.4R3-S10; 19.1 versions prior to 19.1R3-S7; 19.2 versions prior to 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R2.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

juniper
junos
12.3, 15.1, 18.3, 18.4, 19.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-693 CWE-311

By requiring integrated, updated architectures and CONOPS, the control reduces the likelihood that protection mechanisms are missing or inconsistently applied.

addresses: CWE-311 CWE-693

Privacy and security curricula stress encryption requirements, reducing missing encryption of sensitive data.

addresses: CWE-693

Implements a reliable, tamperproof protection mechanism whose completeness can be assured.

addresses: CWE-693

Procedures for training on protection mechanisms reduce the chance of protection mechanism failures being present or exploitable.

addresses: CWE-311

Privacy and security training stresses encryption of sensitive data, reducing missing encryption weaknesses.

addresses: CWE-693

Documented procedures to implement assessment, authorization, and monitoring controls prevent these protection mechanisms from failing due to undefined processes.

addresses: CWE-693

Direct evaluation of whether controls produce desired security outcomes detects protection mechanism failures and enables remediation.

addresses: CWE-311

Exchange agreements must document security requirements, which would include encryption to protect sensitive data in transit.

References