Details of VAR-201703-0043

ID

VAR-201703-0043

CVE

CVE-2016-4931

TITLE

Junos Space In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2016-008033

DESCRIPTION

XML entity injection in Junos Space before 15.2R2 allows attackers to cause a denial of service. Juniper Junos Space is prone to the following multiple security issues: 1. Cross-site scripting vulnerability 2. Cross-site request-forgery vulnerability 3. Authentication-bypass vulnerability 4. A command-injection vulnerability 6. A security-bypass vulnerability An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, perform certain administrative actions, gain unauthorized access, bypass certain security restrictions or cause denial-of-service conditions. Juniper Networks Junos Space is a set of network management solutions of Juniper Networks (Juniper Networks). The solution supports automated configuration, monitoring, and troubleshooting of devices and services throughout their lifecycle

Trust: 1.98

sources: NVD: CVE-2016-4931 // JVNDB: JVNDB-2016-008033 // BID: 93540 // VULHUB: VHN-93750

AFFECTED PRODUCTS

vendor:	juniper	model:	junos space	scope:	lte	version:	15.2	Trust: 1.0
vendor:	juniper	model:	junos space	scope:	eq	version:	15.2	Trust: 0.9
vendor:	juniper	model:	junos space	scope:	lt	version:	15.2r2	Trust: 0.8
vendor:	juniper	model:	junos space 15.2r1	scope:	-	version:	-	Trust: 0.3
vendor:	juniper	model:	junos space 15.2r2	scope:	ne	version:	-	Trust: 0.3

sources: BID: 93540 // JVNDB: JVNDB-2016-008033 // CNNVD: CNNVD-201610-466 // NVD: CVE-2016-4931

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-4931
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-4931
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201610-466
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-93750
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-4931
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-93750
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-4931
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-93750 // JVNDB: JVNDB-2016-008033 // CNNVD: CNNVD-201610-466 // NVD: CVE-2016-4931

PROBLEMTYPE DATA

problemtype:

CWE-611

Trust: 1.9

sources: VULHUB: VHN-93750 // JVNDB: JVNDB-2016-008033 // NVD: CVE-2016-4931

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-466

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201610-466

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-008033

PATCH

title:	JSA10760	url:	https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10760	Trust: 0.8
title:	Juniper Junos Space XML Fixes for external entity injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=64837	Trust: 0.6

sources: JVNDB: JVNDB-2016-008033 // CNNVD: CNNVD-201610-466

EXTERNAL IDS

db:	NVD	id:	CVE-2016-4931	Trust: 2.8
db:	BID	id:	93540	Trust: 2.0
db:	JUNIPER	id:	JSA10760	Trust: 2.0
db:	JVNDB	id:	JVNDB-2016-008033	Trust: 0.8
db:	CNNVD	id:	CNNVD-201610-466	Trust: 0.7
db:	VULHUB	id:	VHN-93750	Trust: 0.1

sources: VULHUB: VHN-93750 // BID: 93540 // JVNDB: JVNDB-2016-008033 // CNNVD: CNNVD-201610-466 // NVD: CVE-2016-4931

REFERENCES

url:	http://www.securityfocus.com/bid/93540	Trust: 1.7
url:	https://kb.juniper.net/infocenter/index?page=content&id=jsa10760	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4931	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4931	Trust: 0.8
url:	http://www.juniper.net/	Trust: 0.3
url:	http://www.juniper.net/au/en/products-services/software/junos-platform/junos-space/	Trust: 0.3
url:	https://kb.juniper.net/infocenter/index?page=content&id=jsa10760&cat=sirt_1&actp=list	Trust: 0.3
url:	https://kb.juniper.net/infocenter/index?page=content&id=jsa10760	Trust: 0.1

sources: VULHUB: VHN-93750 // BID: 93540 // JVNDB: JVNDB-2016-008033 // CNNVD: CNNVD-201610-466 // NVD: CVE-2016-4931

CREDITS

The vendor reported the issue.

Trust: 0.3

sources: BID: 93540

SOURCES

db:	VULHUB	id:	VHN-93750
db:	BID	id:	93540
db:	JVNDB	id:	JVNDB-2016-008033
db:	CNNVD	id:	CNNVD-201610-466
db:	NVD	id:	CVE-2016-4931

LAST UPDATE DATE

2024-11-23T22:07:37.715000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-93750	date:	2017-03-22T00:00:00
db:	BID	id:	93540	date:	2016-10-26T02:07:00
db:	JVNDB	id:	JVNDB-2016-008033	date:	2017-04-17T00:00:00
db:	CNNVD	id:	CNNVD-201610-466	date:	2017-03-21T00:00:00
db:	NVD	id:	CVE-2016-4931	date:	2024-11-21T02:53:15.607

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-93750	date:	2017-03-20T00:00:00
db:	BID	id:	93540	date:	2016-10-12T00:00:00
db:	JVNDB	id:	JVNDB-2016-008033	date:	2017-04-17T00:00:00
db:	CNNVD	id:	CNNVD-201610-466	date:	2016-10-18T00:00:00
db:	NVD	id:	CVE-2016-4931	date:	2017-03-20T20:59:00.330