CVE-2022-22152

A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system. By utilizing the REST API, one tenant is able to obtain information on another tenant's firewall configuration and access control policies, as well as other sensitive information, exposing the tenant to reduced defense against malicious attacks or exploitation via additional undetermined vulnerabilities. This issue affects Juniper Networks Contrail Service Orchestration versions prior to 6.1.0 Patch 3.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://kb.juniper.net/JSA11260	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:juniper:contrail_service_orchestration::::::::
	cpe:2.3:a:juniper:contrail_service_orchestration:6.1.0:-::::::
	cpe:2.3:a:juniper:contrail_service_orchestration:6.1.0:patch1::::::
	cpe:2.3:a:juniper:contrail_service_orchestration:6.1.0:patch2::::::

History

24 Jan 2022, 21:20

Type	Values Removed	Values Added
First Time		Juniper Juniper contrail Service Orchestration
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.0 v3 : 6.5
References	~~(CONFIRM) https://kb.juniper.net/JSA11260 -~~	(CONFIRM) https://kb.juniper.net/JSA11260 - Vendor Advisory
CPE		cpe:2.3:a:juniper:contrail_service_orchestration:6.1.0:-:::::: cpe:2.3:a:juniper:contrail_service_orchestration:6.1.0:patch2:::::: cpe:2.3:a:juniper:contrail_service_orchestration:::::::: cpe:2.3:a:juniper:contrail_service_orchestration:6.1.0:patch1::::::

19 Jan 2022, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-01-19 01:15

Updated : 2023-12-10 14:09

NVD link : CVE-2022-22152

Mitre link : CVE-2022-22152

CVE.ORG link : CVE-2022-22152

JSON object : View

Products Affected

juniper

contrail_service_orchestration

CWE

CWE-693

Protection Mechanism Failure

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2022-22152

6.5^/10

4.0^/10

Attach tags to `CVE-2022-22152`