CVE-2024-39565

Junos OS: J-Web: An unauthenticated, network-based attacker can perform XPATH injection attack against a device.

Description

An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target device.  While an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user's credentials. In the worst case, the attacker will have full control over the device. This issue affects Junos OS:  * All versions before 21.2R3-S8,  * from 21.4 before 21.4R3-S7, * from 22.2 before 22.2R3-S4, * from 22.3 before 22.3R3-S3, * from 22.4 before 22.4R3-S2, * from 23.2 before 23.2R2, * from 23.4 before 23.4R1-S1, 23.4R2.

Remediation

Solution:

  • The following software releases have been updated to resolve this specific issue: 21.2R3-S8, 21.4R3-S7, 22.2R3-S4, 22.3R3-S3, 22.4R3-S2, 23.2R2, 23.4R1-S1, 23.4R2, 24.2R1, and all subsequent releases.

Workaround:

  • There are no known workarounds for this issue other than disabling J-Web when not in use. Juniper Networks has written an effective countermeasure for this attack at IDP Signature SigPack #3675 onward, released on 07 February 2024. The signature “HTTP:PHP:LAUNCHPAD-CMD-INJ” will identify and block the attack. For best effect, customers may deploy this signature on devices where J-Web is not used.
  • Methods which may reduce, but not eliminate, the risk for exploitation of these problems, and which does not mitigate or resolve the underlying problem include: • Deploying the appropriate IDP Signature on devices which do not have J-Web enabled which protect the device downstream which requires J-Web to be enabled. • Disabling J-Web and using only alternate options such as Netconf over SSH for device management • Restricting the use of J-Web to low-privileged accounts only In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device only from trusted, administrative networks or hosts.

Category

7.7
CVSS
Severity: High
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.32%
Vendor Advisory juniper.net
Affected: Juniper Networks, Inc. Junos OS
Published at:
Updated at:

References

Link Tags
https://supportportal.juniper.net/JSA83023 vendor advisory
https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/R:I/V:C/RE:L/U:Amber related
https://support.juniper.net/support/downloads/?p=283 signature

Frequently Asked Questions

What is the severity of CVE-2024-39565?
CVE-2024-39565 has been scored as a high severity vulnerability.
How to fix CVE-2024-39565?
To fix CVE-2024-39565: The following software releases have been updated to resolve this specific issue: 21.2R3-S8, 21.4R3-S7, 22.2R3-S4, 22.3R3-S3, 22.4R3-S2, 23.2R2, 23.4R1-S1, 23.4R2, 24.2R1, and all subsequent releases.
Is CVE-2024-39565 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-39565 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-39565?
CVE-2024-39565 affects Juniper Networks, Inc. Junos OS.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.