Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-0296

The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header which allows servers to indicate that content from the requested domain will only be served over HTTPS. The lack of HSTS may leave the system vulnerable to downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. This issue affects Juniper Networks CTPView: 7.3 versions prior to 7.3R7; 9.1 versions prior to 9.1R3.

Published

2021-10-19T19:15:08.227

Last Modified

2024-11-21T05:42:25.817

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.4 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

4.9

Weaknesses

Type: Secondary
CWE-319
Type: Primary
CWE-319

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	juniper	ctpview	7.3	Yes
Application	juniper	ctpview	7.3	Yes
Application	juniper	ctpview	7.3	Yes
Application	juniper	ctpview	7.3	Yes
Application	juniper	ctpview	7.3	Yes
Application	juniper	ctpview	7.3	Yes
Application	juniper	ctpview	9.1	Yes
Application	juniper	ctpview	9.1	Yes

References

https://kb.juniper.net/JSA11210 Vendor Advisory ([email protected])
https://kb.juniper.net/JSA11210 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)