Details of VAR-202110-0387

ID

VAR-202110-0387

CVE

CVE-2021-0296

TITLE

Juniper Networks CtpView Input validation error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202110-1005

DESCRIPTION

The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header which allows servers to indicate that content from the requested domain will only be served over HTTPS. The lack of HSTS may leave the system vulnerable to downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. This issue affects Juniper Networks CTPView: 7.3 versions prior to 7.3R7; 9.1 versions prior to 9.1R3

Trust: 1.08

sources: NVD: CVE-2021-0296 // VULHUB: VHN-372198 // VULMON: CVE-2021-0296

AFFECTED PRODUCTS

vendor:	juniper	model:	ctpview	scope:	eq	version:	7.3	Trust: 1.0
vendor:	juniper	model:	ctpview	scope:	eq	version:	9.1	Trust: 1.0

sources: NVD: CVE-2021-0296

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-0296
value:	MEDIUM
Trust: 1.0
sirt@juniper.net:	CVE-2021-0296
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202110-1005
value:	HIGH
Trust: 0.6
VULHUB:	VHN-372198
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-0296
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-0296
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-372198
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sirt@juniper.net:	CVE-2021-0296
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	5.2
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-372198 // VULMON: CVE-2021-0296 // CNNVD: CNNVD-202110-1005 // NVD: CVE-2021-0296 // NVD: CVE-2021-0296

PROBLEMTYPE DATA

problemtype:

CWE-319

Trust: 1.1

sources: VULHUB: VHN-372198 // NVD: CVE-2021-0296

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-1005

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202110-1005

PATCH

title:

Juniper Networks CtpView Enter the fix for the verification error vulnerability

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=166613

Trust: 0.6

sources: CNNVD: CNNVD-202110-1005

EXTERNAL IDS

db:	NVD	id:	CVE-2021-0296	Trust: 1.8
db:	JUNIPER	id:	JSA11210	Trust: 1.8
db:	CS-HELP	id:	SB2021101402	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3419	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-1005	Trust: 0.6
db:	VULHUB	id:	VHN-372198	Trust: 0.1
db:	VULMON	id:	CVE-2021-0296	Trust: 0.1

sources: VULHUB: VHN-372198 // VULMON: CVE-2021-0296 // CNNVD: CNNVD-202110-1005 // NVD: CVE-2021-0296

REFERENCES

url:	https://kb.juniper.net/jsa11210	Trust: 1.8
url:	https://www.auscert.org.au/bulletins/esb-2021.3419	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021101402	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/319.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-372198 // VULMON: CVE-2021-0296 // CNNVD: CNNVD-202110-1005 // NVD: CVE-2021-0296

SOURCES

db:	VULHUB	id:	VHN-372198
db:	VULMON	id:	CVE-2021-0296
db:	CNNVD	id:	CNNVD-202110-1005
db:	NVD	id:	CVE-2021-0296

LAST UPDATE DATE

2024-08-14T15:01:18.584000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-372198	date:	2021-10-25T00:00:00
db:	VULMON	id:	CVE-2021-0296	date:	2021-10-25T00:00:00
db:	CNNVD	id:	CNNVD-202110-1005	date:	2021-10-26T00:00:00
db:	NVD	id:	CVE-2021-0296	date:	2021-10-25T12:29:00.133

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-372198	date:	2021-10-19T00:00:00
db:	VULMON	id:	CVE-2021-0296	date:	2021-10-19T00:00:00
db:	CNNVD	id:	CNNVD-202110-1005	date:	2021-10-14T00:00:00
db:	NVD	id:	CVE-2021-0296	date:	2021-10-19T19:15:08.227