CVE-2022-22242
Published: 18 October 2022
Summary
CVE-2022-22242 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Juniper Junos. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A Cross-site Scripting (XSS) vulnerability tracked as CVE-2022-22242 exists in the J-Web component of Juniper Networks Junos OS. The flaw permits an unauthenticated attacker to inject and execute malicious scripts that are reflected back to a victim's browser and run in the context of the user's J-Web session. It affects all releases prior to 19.1R3-S9, 19.2R3-S6, 19.3R3-S7, 19.4R2-S7/19.4R3-S8, 20.1R3-S5, 20.2R3-S5, 20.3R3-S5, 20.4R3-S4, 21.1R3-S4, 21.2R3-S1, 21.3R3, 21.4R2, and 22.1R2, and carries a CVSS 3.1 score of 6.1 with CWE-79 classification.
An unauthenticated remote attacker can exploit the issue by crafting a malicious link or request that reflects script content through J-Web to a logged-in administrator or user. Successful exploitation allows the attacker to perform actions within the victim's authenticated J-Web session, such as reading limited session data or modifying interface elements, without requiring prior credentials.
Juniper Networks has published advisory JSA69899, which details the affected versions and the corresponding fixed releases that resolve the reflected XSS flaw. Organizations are advised to upgrade to one of the listed patched versions to eliminate the vulnerability.
The EPSS score for this CVE currently stands at 0.6455 with a recorded peak of 0.6564.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27389
Vulnerability details
A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web. This issue…
more
affects Juniper Networks Junos OS all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.