CVE-2021-31349

Session Smart Router: Authentication Bypass Vulnerability

Description

The usage of an internal HTTP header created an authentication bypass vulnerability (CWE-287), allowing an attacker to view internal files, change settings, manipulate services and execute arbitrary code. This issue affects all Juniper Networks 128 Technology Session Smart Router versions prior to 4.5.11, and all versions of 5.0 up to and including 5.0.1.

Remediation

Solution:

  • 128 Technology has released software updates that address the vulnerability described in this advisory. Fixed Releases: The following 128T software patches have been released to resolve this specific issue: 4.5.11, 5.1.0, and all subsequent releases. Customers who are running 5.0.0 or 5.0.1 should upgrade to 5.1.6 or later. Instructions for upgrading the 128T Networking Platform can be found at https://docs.128technology.com/docs/intro_upgrading .

Workaround:

  • While no workarounds exist for this vulnerability, risk exposure can be mitigated. HTTP access to the SSR occurs on TCP port 443. It is recommended to install firewall rules to permit access only from trusted IP addresses.

Category

9.8
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.75% Top 30%
Vendor Advisory juniper.net
Affected: Juniper Networks 128 Technology Session Smart Router
Published at:
Updated at:

References

Link Tags
https://kb.juniper.net/JSA11256 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-31349?
CVE-2021-31349 has been scored as a critical severity vulnerability.
How to fix CVE-2021-31349?
To fix CVE-2021-31349: 128 Technology has released software updates that address the vulnerability described in this advisory. Fixed Releases: The following 128T software patches have been released to resolve this specific issue: 4.5.11, 5.1.0, and all subsequent releases. Customers who are running 5.0.0 or 5.0.1 should upgrade to 5.1.6 or later. Instructions for upgrading the 128T Networking Platform can be found at https://docs.128technology.com/docs/intro_upgrading .
Is CVE-2021-31349 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-31349 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-31349?
CVE-2021-31349 affects Juniper Networks 128 Technology Session Smart Router.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.