Vulnerabilities

An Improper Handling of Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated network-based attacker sending a specific ICMP packet through a GRE tunnel to cause the PFE to crash and restart.<br /> <br /> When PowerMode IPsec (PMI) and GRE performance acceleration are enabled and the device receives a specific ICMP packet, a crash occurs in the SRX PFE, resulting in traffic loss. PMI is enabled by default, and GRE performance acceleration can be enabled by running the configuration command shown below. PMI is a mode of operation that provides IPsec performance improvements using Vector Packet Processing.<br /> <br /> Note that PMI with GRE performance acceleration is only supported on specific SRX platforms.<br /> This issue affects Junos OS on the SRX Series:<br /> <br /> <br /> <br /> * all versions before 21.4R3-S12, <br /> * from 22.4 before 22.4R3-S8, <br /> * from 23.2 before 23.2R2-S5, <br /> * from 23.4 before 23.4R2-S5, <br /> * from 24.2 before 24.2R2-S3, <br /> * from 24.4 before 24.4R2-S1, <br /> * from 25.2 before 25.2R1-S1, 25.2R2.

A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a Denial of Service (DoS), or potentially execute arbitrary code within the context of the process running as root.<br /> <br /> The issue is specific to the processing of a change in authorization (CoA) when a port bounce occurs. A pointer is freed but was then referenced later in the same code path. Successful exploitation is outside the attacker&amp;#39;s direct control due to the specific timing of the two events required to execute the vulnerable code path.<br /> <br /> This issue affects systems with 802.1X authentication port-based network access control (PNAC) enabled.<br /> This issue affects:<br /> <br /> Junos OS: <br /> <br /> <br /> <br /> * from 23.2R2-S1 before 23.2R2-S5, <br /> * from 23.4R2 before 23.4R2-S6, <br /> * from 24.2 before 24.2R2-S3, <br /> * from 24.4 before 24.4R2-S1, <br /> * from 25.2 before 25.2R1-S2, 25.2R2; <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> <br /> * from 23.2R2-S1 before 23.2R2-S5-EVO, <br /> * from 23.4R2 before 23.4R2-S6-EVO, <br /> * from 24.2 before 24.2R2-S3-EVO, <br /> * from 24.4 before 24.4R2-S1-EVO, <br /> * from 25.2 before 25.2R1-S2-EVO, 25.2R2-EVO.

A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition.<br /> <br /> Memory usage can be monitored through the use of the &amp;#39;show task memory detail&amp;#39; command. For example:<br /> <br /> user@junos&gt; show task memory detail | match ted-infra<br />   TED-INFRA-COOKIE           25   1072     28   1184     229<br /> <br /> <br /> <br /> user@junos&gt; <br /> <br /> show task memory detail | match ted-infra<br />   TED-INFRA-COOKIE           31   1360     34   1472     307<br /> <br /> This issue affects:<br /> <br /> Junos OS: <br /> <br /> * from 23.2 before 23.2R2, <br /> * from 23.4 before 23.4R1-S2, 23.4R2, <br /> * from 24.1 before 24.1R2; <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> * from 23.2 before 23.2R2-EVO, <br /> * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO, <br /> * from 24.1 before 24.1R2-EVO.<br /> <br /> <br /> This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO.

A Use of a Broken or Risky Cryptographic Algorithm vulnerability in the TLS/SSL server of Juniper Networks Junos Space allows the use of static key ciphers (ssl-static-key-ciphers), reducing the confidentiality of on-path traffic communicated across the connection. These ciphers also do not support Perfect Forward Secrecy (PFS), affecting the long-term confidentiality of encrypted communications.This issue affects all versions of Junos Space before 24.1R5.

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.<br /> <br /> <br /> The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 <br /> <br /> <br /> <br /> Steps to reproduce<br /> Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html<br /> <br /> Mitgation<br /> Disabling Static Handler cache fixes the issue.<br /> <br /> <br /> <br /> StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. The application fails to properly sanitize user-supplied input provided via the adminname parameter, allowing authenticated attackers to inject arbitrary SQL expressions.

Phpgurukul Cyber Cafe Management System v1.0 contains a SQL Injection vulnerability in the user management module. The application fails to properly validate user-supplied input in the username parameter of the add-users.php endpoint.

An Improper Handling of Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS allows an unauthenticated, network-adjacent attacker sending a specifically malformed ICMP packet to cause an FPC to crash and restart, resulting in a Denial of Service (DoS).<br /> <br /> <br /> <br /> When an ICMP packet is received with a specifically malformed IP header value, the FPC receiving the packet crashes and restarts. Due to the specific type of malformed packet, adjacent upstream routers would not forward the packet, limiting the attack surface to adjacent networks.<br /> <br /> This issue only affects ICMPv4. ICMPv6 is not vulnerable to this issue.<br /> <br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * all versions before 21.2R3-S9, <br /> * from 21.4 before 21.4R3-S10, <br /> * from 22.2 before 22.2R3-S7, <br /> * from 22.3 before 22.3R3-S4, <br /> * from 22.4 before 22.4R3-S5, <br /> * from 23.2 before 23.2R2-S3, <br /> * from 23.4 before 23.4R2-S3, <br /> * from 24.2 before 24.2R1-S2, 24.2R2.

A Stack-based Buffer Overflow vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS allows a network-based attacker, authenticated with low privileges to cause a Denial-of-Service (DoS).<br /> <br /> <br /> <br /> Subscribing to telemetry sensors at scale causes all FPC connections to drop, resulting in an FPC crash and restart.<br /> The issue was not seen when YANG packages for the specific sensors were installed. <br /> <br /> <br /> <br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * all versions before 22.4R3-S7,<br /> * 23.2 version before 23.2R2-S4,<br /> * 23.4 versions before 23.4R2.

A Loop with Unreachable Exit Condition (&amp;#39;Infinite Loop&amp;#39;) vulnerability in the SIP application layer gateway (ALG) of Juniper Networks Junos OS on SRX Series and MX Series with MX-SPC3 or MS-MPC allows an unauthenticated network-based attacker sending specific SIP messages over TCP to crash the flow management process, leading to a Denial of Service (DoS).<br /> <br /> On SRX Series, and MX Series with MX-SPC3 or MS-MPC service cards, receipt of multiple SIP messages causes the SIP headers to be parsed incorrectly, eventually causing a continuous loop and leading to a watchdog timer expiration, crashing the flowd process on SRX Series and MX Series with MX-SPC3, or mspmand process on MX Series with MS-MPC.<br /> <br /> This issue only occurs over TCP. SIP messages sent over UDP cannot trigger this issue.<br /> <br /> This issue affects Junos OS on SRX Series and MX Series with MX-SPC3 and MS-MPC:<br /> <br /> <br /> <br /> * all versions before 21.2R3-S10, <br /> * from 21.4 before 21.4R3-S12, <br /> * from 22.4 before 22.4R3-S8, <br /> * from 23.2 before 23.2R2-S5, <br /> * from 23.4 before 23.4R2-S6, <br /> * from 24.2 before 24.2R2-S3, <br /> * from 24.4 before 24.4R2-S1, <br /> * from 25.2 before 25.2R1-S1, 25.2R2.

Cross Site Scripting vulnerability in Anycomment anycomment.io 0.4.4 allows a remote attacker to execute arbitrary code via the Anycomment comment section

SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user input and LLM output.