Details of VAR-202201-0633

ID

VAR-202201-0633

CVE

CVE-2022-22152

TITLE

Juniper Networks Contrail Service Orchestration Vulnerability regarding a defect in the protection mechanism in

Trust: 0.8

sources: JVNDB: JVNDB-2022-003373

DESCRIPTION

A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system. By utilizing the REST API, one tenant is able to obtain information on another tenant's firewall configuration and access control policies, as well as other sensitive information, exposing the tenant to reduced defense against malicious attacks or exploitation via additional undetermined vulnerabilities. This issue affects Juniper Networks Contrail Service Orchestration versions prior to 6.1.0 Patch 3. Used to connect many enterprise and multi-tenant service provider solutions. A remote attacker can view confidential configuration details of other tenants on the same system

Trust: 1.8

sources: NVD: CVE-2022-22152 // JVNDB: JVNDB-2022-003373 // VULHUB: VHN-409681 // VULMON: CVE-2022-22152

AFFECTED PRODUCTS

vendor:	juniper	model:	contrail service orchestration	scope:	eq	version:	6.1.0	Trust: 1.0
vendor:	juniper	model:	contrail service orchestration	scope:	lte	version:	6.0.0	Trust: 1.0
vendor:	ジュニパーネットワークス	model:	contrail service orchestration	scope:	eq	version:	-	Trust: 0.8
vendor:	ジュニパーネットワークス	model:	contrail service orchestration	scope:	eq	version:	6.1.0 patch 3	Trust: 0.8

sources: JVNDB: JVNDB-2022-003373 // NVD: CVE-2022-22152

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-22152
value:	MEDIUM
Trust: 1.0
sirt@juniper.net:	CVE-2022-22152
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-22152
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202201-1386
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-409681
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-22152
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-22152
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-409681
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-22152
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
sirt@juniper.net:	CVE-2022-22152
baseSeverity:	HIGH
baseScore:	7.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	4.0
version:	3.1
Trust: 1.0
NVD:	CVE-2022-22152
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-409681 // VULMON: CVE-2022-22152 // JVNDB: JVNDB-2022-003373 // CNNVD: CNNVD-202201-1386 // NVD: CVE-2022-22152 // NVD: CVE-2022-22152

PROBLEMTYPE DATA

problemtype:	CWE-693	Trust: 1.1
problemtype:	Malfunction of protection mechanism (CWE-693) [ others ]	Trust: 0.8

sources: VULHUB: VHN-409681 // JVNDB: JVNDB-2022-003373 // NVD: CVE-2022-22152

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-1386

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202201-1386

PATCH

title:	JSA11260	url:	https://supportportal.juniper.net/s/article/2022-01-Security-Bulletin-Contrail-Service-Orchestration-Tenants-able-to-see-other-tenants-policies-via-REST-API-interface-CVE-2022-22152?language=en_US	Trust: 0.8
title:	Juniper Networks Contrail Service Orchestration Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=179693	Trust: 0.6
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-22152 // JVNDB: JVNDB-2022-003373 // CNNVD: CNNVD-202201-1386

EXTERNAL IDS

db:	NVD	id:	CVE-2022-22152	Trust: 3.4
db:	JUNIPER	id:	JSA11260	Trust: 1.8
db:	JVNDB	id:	JVNDB-2022-003373	Trust: 0.8
db:	CNNVD	id:	CNNVD-202201-1386	Trust: 0.7
db:	CS-HELP	id:	SB2022011708	Trust: 0.6
db:	CNVD	id:	CNVD-2022-06891	Trust: 0.1
db:	VULHUB	id:	VHN-409681	Trust: 0.1
db:	VULMON	id:	CVE-2022-22152	Trust: 0.1

sources: VULHUB: VHN-409681 // VULMON: CVE-2022-22152 // JVNDB: JVNDB-2022-003373 // CNNVD: CNNVD-202201-1386 // NVD: CVE-2022-22152

REFERENCES

url:	https://kb.juniper.net/jsa11260	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22152	Trust: 1.4
url:	https://www.cybersecurity-help.cz/vdb/sb2022011708	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/693.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: VULHUB: VHN-409681 // VULMON: CVE-2022-22152 // JVNDB: JVNDB-2022-003373 // CNNVD: CNNVD-202201-1386 // NVD: CVE-2022-22152

SOURCES

db:	VULHUB	id:	VHN-409681
db:	VULMON	id:	CVE-2022-22152
db:	JVNDB	id:	JVNDB-2022-003373
db:	CNNVD	id:	CNNVD-202201-1386
db:	NVD	id:	CVE-2022-22152

LAST UPDATE DATE

2024-08-14T15:42:39.644000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-409681	date:	2022-01-24T00:00:00
db:	VULMON	id:	CVE-2022-22152	date:	2022-01-24T00:00:00
db:	JVNDB	id:	JVNDB-2022-003373	date:	2023-02-16T00:46:00
db:	CNNVD	id:	CNNVD-202201-1386	date:	2022-01-27T00:00:00
db:	NVD	id:	CVE-2022-22152	date:	2022-01-24T21:20:18.827

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-409681	date:	2022-01-19T00:00:00
db:	VULMON	id:	CVE-2022-22152	date:	2022-01-19T00:00:00
db:	JVNDB	id:	JVNDB-2022-003373	date:	2023-02-16T00:00:00
db:	CNNVD	id:	CNNVD-202201-1386	date:	2022-01-17T00:00:00
db:	NVD	id:	CVE-2022-22152	date:	2022-01-19T01:15:08.133