Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-10624

Summary
Assigner-juniper
Assigner Org ID-8cbe9d5a-a066-4c94-8978-4b15efeae968
Published At-13 Oct, 2017 | 17:00
Updated At-16 Sep, 2024 | 23:35
Rejected At-
Credits

Junos Space: Insufficient verification of node certificates.

Insufficient verification of node certificates in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to make unauthorized modifications to Space database or add nodes. Affected releases are Juniper Networks Junos Space all versions prior to 17.1R1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:juniper
Assigner Org ID:8cbe9d5a-a066-4c94-8978-4b15efeae968
Published At:13 Oct, 2017 | 17:00
Updated At:16 Sep, 2024 | 23:35
Rejected At:
▼CVE Numbering Authority (CNA)
Junos Space: Insufficient verification of node certificates.

Insufficient verification of node certificates in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to make unauthorized modifications to Space database or add nodes. Affected releases are Juniper Networks Junos Space all versions prior to 17.1R1.

Affected Products
Vendor
Juniper Networks, Inc.Juniper Networks
Product
Junos Space
Versions
Affected
  • versions prior to 17.1R1
Problem Types
TypeCWE IDDescription
textN/Ainsufficient verification
Type: text
CWE ID: N/A
Description: insufficient verification
Metrics
VersionBase scoreBase severityVector
3.07.5HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations

This vulnerability is relevant to Junos Space devices configured in cluster mode.

Workarounds

There are no viable workarounds for this issue. It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts.

Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://kb.juniper.net/JSA10826
x_refsource_CONFIRM
http://www.securityfocus.com/bid/101255
vdb-entry
x_refsource_BID
Hyperlink: https://kb.juniper.net/JSA10826
Resource:
x_refsource_CONFIRM
Hyperlink: http://www.securityfocus.com/bid/101255
Resource:
vdb-entry
x_refsource_BID
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://kb.juniper.net/JSA10826
x_refsource_CONFIRM
x_transferred
http://www.securityfocus.com/bid/101255
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: https://kb.juniper.net/JSA10826
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://www.securityfocus.com/bid/101255
Resource:
vdb-entry
x_refsource_BID
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:sirt@juniper.net
Published At:13 Oct, 2017 | 17:29
Updated At:20 Apr, 2025 | 01:37

Insufficient verification of node certificates in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to make unauthorized modifications to Space database or add nodes. Affected releases are Juniper Networks Junos Space all versions prior to 17.1R1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.07.5HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary3.07.5HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary2.05.1MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:P
Type: Secondary
Version: 3.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 5.1
Base severity: MEDIUM
Vector:
AV:N/AC:H/Au:N/C:P/I:P/A:P
CPE Matches
Juniper Networks, Inc.
juniper
>>junos_space>>Versions up to 16.1(inclusive)
cpe:2.3:o:juniper:junos_space:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-345Primarynvd@nist.gov
CWE ID: CWE-345
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.securityfocus.com/bid/101255sirt@juniper.net
Third Party Advisory
VDB Entry
https://kb.juniper.net/JSA10826sirt@juniper.net
Vendor Advisory
http://www.securityfocus.com/bid/101255af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
VDB Entry
https://kb.juniper.net/JSA10826af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Hyperlink: http://www.securityfocus.com/bid/101255
Source: sirt@juniper.net
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://kb.juniper.net/JSA10826
Source: sirt@juniper.net
Resource:
Vendor Advisory
Hyperlink: http://www.securityfocus.com/bid/101255
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://kb.juniper.net/JSA10826
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

13Records found
CVE-2017-2334
Matching Score-8
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-8
Assigner-Juniper Networks, Inc.
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.53%
||
7 Day CHG~0.00%
Published-24 Apr, 2017 | 15:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information leak vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a network-based malicious attacker to perform a man-in-the-middle attack, thereby stealing authentic credentials from encrypted paths which are easily decrypted, and subsequently gain complete control of the system.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-northstar_controllerNorthStar Controller Application
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2013-4689
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.1||MEDIUM
EPSS-0.09% / 26.53%
||
7 Day CHG~0.00%
Published-17 Oct, 2013 | 23:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1R before 12.1R6, 12.1X44 before 12.1X44-D15, 12.1x45 before 12.1X45-D10, 12.2 before 12.2R3, 12.3 before 12.3R2, and 13.1 before 13.1R3 allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism and hijack the authentication of administrators for requests that (1) create new administrator accounts or (2) have other unspecified impacts.

Action-Not Available
Vendor-n/aJuniper Networks, Inc.
Product-junosn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2002-2223
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.1||MEDIUM
EPSS-1.75% / 81.77%
||
7 Day CHG~0.00%
Published-27 Feb, 2007 | 02:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buffer overflow in NetScreen-Remote 8.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) large number of payloads, or (3) a long payload.

Action-Not Available
Vendor-n/aJuniper Networks, Inc.
Product-netscreen_remote_security_clientnetscreen_remote_vpn_clientn/a
CVE-2021-0269
Matching Score-8
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-8
Assigner-Juniper Networks, Inc.
CVSS Score-8.8||HIGH
EPSS-0.38% / 58.29%
||
7 Day CHG~0.00%
Published-22 Apr, 2021 | 19:37
Updated-17 Sep, 2024 | 01:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS: J-Web can be compromised through reflected client-side HTTP parameter pollution attacks.

The improper handling of client-side parameters in J-Web of Juniper Networks Junos OS allows an attacker to perform a number of different malicious actions against a target device when a user is authenticated to J-Web. An attacker may be able to supersede existing parameters, including hardcoded parameters within the HTTP/S session, access and exploit variables, bypass web application firewall rules or input validation mechanisms, and otherwise alter and modify J-Web's normal behavior. An attacker may be able to transition victims to malicious web services, or exfiltrate sensitive information from otherwise secure web forms. This issue affects: Juniper Networks Junos OS: All versions prior to 17.4R3-S3; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R3-S6; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R3-S6; 19.1 versions prior to 19.1R3-S4; 19.2 versions prior to 19.2R3-S1; 19.3 versions prior to 19.3R3-S1; 19.4 versions prior to 19.4R2-S2, 19.4R3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-junosJunos OS
CWE ID-CWE-233
Improper Handling of Parameters
CVE-2020-1677
Matching Score-6
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-6
Assigner-Juniper Networks, Inc.
CVSS Score-7.2||HIGH
EPSS-0.18% / 39.40%
||
7 Day CHG~0.00%
Published-16 Oct, 2020 | 20:31
Updated-16 Sep, 2024 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Juniper Networks Mist Cloud UI: SAML authentication attribute elements handling vulnerability.

When SAML authentication is enabled, Juniper Networks Mist Cloud UI might incorrectly handle child elements in SAML responses, allowing a remote attacker to modify a valid SAML response without invalidating its cryptographic signature to bypass SAML authentication security controls. This issue affects all Juniper Networks Mist Cloud UI versions prior to September 2 2020.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-mist_cloud_uiMIST Cloud UI
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2017-14091
Matching Score-4
Assigner-Trend Micro, Inc.
ShareView Details
Matching Score-4
Assigner-Trend Micro, Inc.
CVSS Score-7.5||HIGH
EPSS-0.25% / 48.52%
||
7 Day CHG~0.00%
Published-15 Dec, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in which certain specific installations that utilize a uncommon feature - Other Update Sources - could be exploited to overwrite sensitive files in the ScanMail for Exchange directory.

Action-Not Available
Vendor-Trend Micro Incorporated
Product-scanmailTrend Micro ScanMail for Exchange
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2016-1493
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.22% / 44.21%
||
7 Day CHG~0.00%
Published-29 Jan, 2016 | 20:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Intel Driver Update Utility before 2.4 retrieves driver updates in cleartext, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted file.

Action-Not Available
Vendor-n/aIntel Corporation
Product-driver_update_utilityn/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2021-20271
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7||HIGH
EPSS-0.20% / 41.84%
||
7 Day CHG~0.00%
Published-26 Mar, 2021 | 00:00
Updated-03 Aug, 2024 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

Action-Not Available
Vendor-starwindsoftwarerpmn/aRed Hat, Inc.Fedora Project
Product-fedorastarwind_virtual_sanrpmenterprise_linuxrpm
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2015-7539
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.04% / 76.52%
||
7 Day CHG~0.00%
Published-03 Feb, 2016 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Action-Not Available
Vendor-n/aRed Hat, Inc.Jenkins
Product-openshiftjenkinsn/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2015-0259
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 42.77%
||
7 Day CHG~0.00%
Published-01 Apr, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

Action-Not Available
Vendor-n/aOpenStack
Product-novan/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2025-2346
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.03% / 6.12%
||
7 Day CHG~0.00%
Published-16 Mar, 2025 | 20:00
Updated-17 Mar, 2025 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IROAD Dash Cam X5/Dash Cam X6 Domain origin validation

A vulnerability has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308 and classified as problematic. This vulnerability affects unknown code of the component Domain Handler. The manipulation of the argument Domain Name leads to origin validation error. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult.

Action-Not Available
Vendor-IROAD
Product-Dash Cam X5Dash Cam X6
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CWE ID-CWE-346
Origin Validation Error
CVE-2019-7323
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.26% / 49.04%
||
7 Day CHG~0.00%
Published-04 Feb, 2019 | 16:00
Updated-16 Sep, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GUP (generic update process) in LightySoft LogMX before 7.4.0 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update. The update process relies on cleartext HTTP. The attacker could replace the LogMXUpdater.class file.

Action-Not Available
Vendor-logmxn/a
Product-logmxn/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2021-26103
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.11% / 29.97%
||
7 Day CHG~0.00%
Published-08 Dec, 2021 | 12:01
Updated-25 Oct, 2024 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An insufficient verification of data authenticity vulnerability (CWE-345) in the user interface of FortiProxy verison 2.0.3 and below, 1.2.11 and below and FortiGate verison 7.0.0, 6.4.6 and below, 6.2.9 and below of SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack . Only SSL VPN in web mode or full mode are impacted by this vulnerability.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiproxyfortiosFortinet FortiOS
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
Details not found