Sign-up

ID

VAR-201707-0307


CVE

CVE-2017-2337


TITLE

Multiple cross-site scripting vulnerabilities in ScreenOS

Trust: 0.8

sources: JVNDB: JVNDB-2017-000183

DESCRIPTION

A persistent cross site scripting vulnerability in NetScreen WebUI of Juniper Networks Juniper NetScreen Firewall+VPN running ScreenOS allows a user with the 'security' role to inject HTML/JavaScript content into the management session of other users including the administrator. This enables the lower-privileged user to effectively execute commands with the permissions of an administrator. This issue affects Juniper Networks ScreenOS 6.3.0 releases prior to 6.3.0r24 on SSG Series. No other Juniper Networks products or platforms are affected by this issue. ScreenOS provided by Juniper Networks contains multiple cross-site scripting vulnerabilities. Toshitsugu Yoneyama and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. An arbitrary script may be executed on the logged in user's web browser. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. ScreenOS is one of those operating systems

Trust: 1.98

sources: NVD: CVE-2017-2337 // JVNDB: JVNDB-2017-000183 // BID: 99590 // VULHUB: VHN-110540

AFFECTED PRODUCTS

vendor:junipermodel:screenosscope:eqversion:6.3.0

Trust: 1.6

vendor:junipermodel:screenosscope:eqversion:prior to 6.3.0r24

Trust: 0.8

vendor:junipermodel:screenos 6.3.0r22scope: - version: -

Trust: 0.3

vendor:junipermodel:screenos 6.3.0r21scope: - version: -

Trust: 0.3

vendor:junipermodel:screenos 6.3.0r20scope: - version: -

Trust: 0.3

vendor:junipermodel:screenos 6.3.0r19scope: - version: -

Trust: 0.3

vendor:junipermodel:screenos 6.3.0r13scope: - version: -

Trust: 0.3

vendor:junipermodel:screenos 6.3.0r12scope: - version: -

Trust: 0.3

vendor:junipermodel:screenos 6.3.0r24scope:neversion: -

Trust: 0.3

sources: BID: 99590 // JVNDB: JVNDB-2017-000183 // CNNVD: CNNVD-201707-625 // NVD: CVE-2017-2337

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2337
value: MEDIUM

Trust: 1.0

sirt@juniper.net: CVE-2017-2337
value: HIGH

Trust: 1.0

VENDOR: JVNDB-2017-000183
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201707-625
value: LOW

Trust: 0.6

VULHUB: VHN-110540
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-2337
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VENDOR: JVNDB-2017-000183
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-110540
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-2337
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.0

sirt@juniper.net: CVE-2017-2337
baseSeverity: HIGH
baseScore: 8.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.7
impactScore: 6.0
version: 3.0

Trust: 1.0

VENDOR: JVNDB-2017-000183
baseSeverity: HIGH
baseScore: 8.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-110540 // JVNDB: JVNDB-2017-000183 // CNNVD: CNNVD-201707-625 // NVD: CVE-2017-2337 // NVD: CVE-2017-2337

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-110540 // JVNDB: JVNDB-2017-000183 // NVD: CVE-2017-2337

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201707-625

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201707-625

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-000183

PATCH
title:2017-07 Security Bulletin: ScreenOS: Multiple XSS vulnerabilities in ScreenOS Firewallurl:https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10782&actp=METADATA
Trust: 0.8
title:Juniper SSG Series device ScreenOS Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71743
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-000183 // 
            
            
            
            CNNVD: CNNVD-201707-625

EXTERNAL IDS
db:NVDid:CVE-2017-2337
Trust: 2.8
db:JUNIPERid:JSA10782
Trust: 2.0
db:SECTRACKid:1038881
Trust: 1.7
db:BIDid:99590
Trust: 1.4
db:JVNid:JVN74247807
Trust: 0.8
db:JVNDBid:JVNDB-2017-000183
Trust: 0.8
db:CNNVDid:CNNVD-201707-625
Trust: 0.7
db:VULHUBid:VHN-110540
Trust: 0.1
sources:
            
            
            VULHUB: VHN-110540 // 
            
            
            
            BID: 99590 // 
            
            
            
            JVNDB: JVNDB-2017-000183 // 
            
            
            
            CNNVD: CNNVD-201707-625 // 
            
            
            
            NVD: CVE-2017-2337

REFERENCES
url:https://kb.juniper.net/jsa10782
Trust: 1.7
url:http://www.securityfocus.com/bid/99590
Trust: 1.1
url:http://www.securitytracker.com/id/1038881
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2338
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2339
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2335
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2336
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2337
Trust: 0.8
url:https://jvn.jp/en/jp/jvn74247807/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2335
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2336
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2337
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2338
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2339
Trust: 0.8
url:http://securitytracker.com/id/1038881
Trust: 0.6
url:http://www.juniper.net/
Trust: 0.3
url:https://kb.juniper.net/infocenter/index?page=content&id=jsa10782&actp=rss
Trust: 0.3
sources:
            
            
            VULHUB: VHN-110540 // 
            
            
            
            BID: 99590 // 
            
            
            
            JVNDB: JVNDB-2017-000183 // 
            
            
            
            CNNVD: CNNVD-201707-625 // 
            
            
            
            NVD: CVE-2017-2337

CREDITS
Gaku Mochizuki/Toshitsugu Yoneyama from Mitsui Bussan Secure Directions, Inc.
Trust: 0.3
sources:
            
            
            BID: 99590

SOURCES
db:VULHUBid:VHN-110540
db:BIDid:99590
db:JVNDBid:JVNDB-2017-000183
db:CNNVDid:CNNVD-201707-625
db:NVDid:CVE-2017-2337

LAST UPDATE DATE
2024-11-23T22:07:20.328000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-110540date:2017-07-22T00:00:00
db:BIDid:99590date:2017-07-14T00:00:00
db:JVNDBid:JVNDB-2017-000183date:2017-08-09T00:00:00
db:CNNVDid:CNNVD-201707-625date:2017-07-19T00:00:00
db:NVDid:CVE-2017-2337date:2024-11-21T03:23:18.820

SOURCES RELEASE DATE
db:VULHUBid:VHN-110540date:2017-07-17T00:00:00
db:BIDid:99590date:2017-07-14T00:00:00
db:JVNDBid:JVNDB-2017-000183date:2017-07-24T00:00:00
db:CNNVDid:CNNVD-201707-625date:2017-07-19T00:00:00
db:NVDid:CVE-2017-2337date:2017-07-17T13:18:24.030