CVE-2022-22189

An Incorrect Ownership Assignment vulnerability in Juniper Networks Contrail Service Orchestration (CSO) allows a locally authenticated user to have their permissions elevated without authentication thereby taking control of the local system they are currently authenticated to. This issue affects: Juniper Networks Contrail Service Orchestration 6.0.0 versions prior to 6.0.0 Patch v3 on On-premises installations. This issue does not affect Juniper Networks Contrail Service Orchestration On-premises versions prior to 6.0.0.

CVSS v3 7.8 HIGH
CVSS v2.0 7.2 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://kb.juniper.net/JSA69498	Permissions Required Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:juniper:contrail_service_orchestration:6.0.0:-::::::
	cpe:2.3:a:juniper:contrail_service_orchestration:6.0.0:patch1::::::
	cpe:2.3:a:juniper:contrail_service_orchestration:6.0.0:patch2::::::

History

No history.

Information

Published : 2022-04-14 16:15

Updated : 2024-02-28 19:09

NVD link : CVE-2022-22189

Mitre link : CVE-2022-22189

CVE.ORG link : CVE-2022-22189

JSON object : View

Products Affected

juniper

contrail_service_orchestration

CWE

NVD-CWE-Other CWE-288

Authentication Bypass Using an Alternate Path or Channel

CWE-708

Incorrect Ownership Assignment

{"id": "CVE-2022-22189", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "sirt@juniper.net", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.3}]}, "published": "2022-04-14T16:15:08.167", "references": [{"url": "https://kb.juniper.net/JSA69498", "tags": ["Permissions Required", "Vendor Advisory"], "source": "sirt@juniper.net"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "sirt@juniper.net", "description": [{"lang": "en", "value": "CWE-288"}, {"lang": "en", "value": "CWE-708"}]}], "descriptions": [{"lang": "en", "value": "An Incorrect Ownership Assignment vulnerability in Juniper Networks Contrail Service Orchestration (CSO) allows a locally authenticated user to have their permissions elevated without authentication thereby taking control of the local system they are currently authenticated to. This issue affects: Juniper Networks Contrail Service Orchestration 6.0.0 versions prior to 6.0.0 Patch v3 on On-premises installations. This issue does not affect Juniper Networks Contrail Service Orchestration On-premises versions prior to 6.0.0."}, {"lang": "es", "value": "Una vulnerabilidad de Asignaci\u00f3n de Propiedad Incorrecta en Juniper Networks Contrail Service Orchestration (CSO) permite que un usuario autenticado localmente tenga sus permisos elevados sin autenticaci\u00f3n, tomando as\u00ed el control del sistema local en el que est\u00e1 autenticado. Este problema afecta a: Juniper Networks Contrail Service Orchestration versiones 6.0.0 anteriores a 6.0.0 Patch v3 en instalaciones locales. Este problema no afecta a las versiones locales de Juniper Networks Contrail Service Orchestration anteriores a 6.0.0"}], "lastModified": "2022-04-25T14:25:09.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:juniper:contrail_service_orchestration:6.0.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA7E76A4-E725-4297-AC19-2993FCE07B73"}, {"criteria": "cpe:2.3:a:juniper:contrail_service_orchestration:6.0.0:patch1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F2777241-F7D0-42EF-99BD-9BEC5D84A406"}, {"criteria": "cpe:2.3:a:juniper:contrail_service_orchestration:6.0.0:patch2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99BBB456-0F5E-4472-8C43-343C2BC64466"}], "operator": "OR"}]}], "sourceIdentifier": "sirt@juniper.net"}