Contrail Service Orchestration: An authenticated local user may have their permissions elevated via the device via management interface without authentication
CVE-2022-22189

7.3HIGH

Key Information:

Vendor: Juniper Networks
Status: Contrail Service Orchestration
Vendor: CVE Published:; 13 April 2022

Badges

👾 Exploit Exists

Summary

An Incorrect Ownership Assignment vulnerability in Juniper Networks Contrail Service Orchestration (CSO) allows a locally authenticated user to have their permissions elevated without authentication thereby taking control of the local system they are currently authenticated to. This issue affects: Juniper Networks Contrail Service Orchestration 6.0.0 versions prior to 6.0.0 Patch v3 on On-premises installations. This issue does not affect Juniper Networks Contrail Service Orchestration On-premises versions prior to 6.0.0.

Affected Version(s)

Contrail Service Orchestration < 6.0.0

Contrail Service Orchestration On-premises 6.0.0 < 6.0.0 Patch v3

References

https://kb.juniper.net/JSA69498

x_refsource_CONFIRM

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

👾
Exploit known to exist
Aug 3, 2024
Vulnerability published
Apr 13, 2022
Vulnerability Reserved
Dec 21, 2021