Contrail Service Orchestration: Tenants able to see other tenants policies via REST API interface
CVE-2022-22152

7.7HIGH

Key Information:

Vendor: Juniper Networks
Status: Contrail Service Orchestration
Vendor: CVE Published:; 19 January 2022

Summary

A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system. By utilizing the REST API, one tenant is able to obtain information on another tenant's firewall configuration and access control policies, as well as other sensitive information, exposing the tenant to reduced defense against malicious attacks or exploitation via additional undetermined vulnerabilities. This issue affects Juniper Networks Contrail Service Orchestration versions prior to 6.1.0 Patch 3.

Affected Version(s)

Contrail Service Orchestration < 6.1.0 Patch 3

References

https://kb.juniper.net/JSA11260

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 19, 2022
Vulnerability Reserved
Dec 21, 2021