Details of VAR-201804-0662

ID

VAR-201804-0662

CVE

CVE-2018-0023

TITLE

JSNAPy Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-004204

DESCRIPTION

JSNAPy is an open source python version of Junos Snapshot Administrator developed by Juniper available through github. The default configuration and sample files of JSNAPy automation tool versions prior to 1.3.0 are created world writable. This insecure file and directory permission allows unprivileged local users to alter the files under this directory including inserting operations not intended by the package maintainer, system administrator, or other users. This issue only affects users who downloaded and installed JSNAPy from github. JSNAPy Contains vulnerabilities related to authorization, permissions, and access control.Information may be tampered with. Juniper JSNAPy is prone to a local insecure-file-permissions vulnerability. A local attacker can exploit this issue by gaining access to a world-readable file and extracting sensitive information from it. Information obtained may aid in other attacks. Versions prior to Juniper JSNAPy 1.3.0 are vulnerable. It is mainly used to save runtime environment snapshots of networked devices running the Junos operating system

Trust: 1.98

sources: NVD: CVE-2018-0023 // JVNDB: JVNDB-2018-004204 // BID: 103745 // VULHUB: VHN-118225

AFFECTED PRODUCTS

vendor:	juniper	model:	jsnapy	scope:	lt	version:	1.3.0	Trust: 1.8
vendor:	juniper	model:	jsnapy	scope:	eq	version:	1.2.1	Trust: 0.3
vendor:	juniper	model:	jsnapy	scope:	eq	version:	1.2	Trust: 0.3
vendor:	juniper	model:	jsnapy	scope:	ne	version:	1.3	Trust: 0.3

sources: BID: 103745 // JVNDB: JVNDB-2018-004204 // NVD: CVE-2018-0023

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0023
value:	MEDIUM
Trust: 1.0
sirt@juniper.net:	CVE-2018-0023
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-0023
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201804-512
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-118225
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-0023
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-118225
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-0023
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.0
Trust: 2.8

sources: VULHUB: VHN-118225 // JVNDB: JVNDB-2018-004204 // CNNVD: CNNVD-201804-512 // NVD: CVE-2018-0023 // NVD: CVE-2018-0023

PROBLEMTYPE DATA

problemtype:	CWE-276	Trust: 1.1
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-118225 // JVNDB: JVNDB-2018-004204 // NVD: CVE-2018-0023

THREAT TYPE

local

Trust: 0.9

sources: BID: 103745 // CNNVD: CNNVD-201804-512

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201804-512

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-004204

PATCH

title:	JSA10856	url:	https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10856&actp=METADATA	Trust: 0.8
title:	Juniper JSNAPy Fixes for permission permissions and access control vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83278	Trust: 0.6

sources: JVNDB: JVNDB-2018-004204 // CNNVD: CNNVD-201804-512

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0023	Trust: 2.8
db:	BID	id:	103745	Trust: 2.0
db:	JUNIPER	id:	JSA10856	Trust: 2.0
db:	JVNDB	id:	JVNDB-2018-004204	Trust: 0.8
db:	CNNVD	id:	CNNVD-201804-512	Trust: 0.7
db:	VULHUB	id:	VHN-118225	Trust: 0.1

sources: VULHUB: VHN-118225 // BID: 103745 // JVNDB: JVNDB-2018-004204 // CNNVD: CNNVD-201804-512 // NVD: CVE-2018-0023

REFERENCES

url:	http://www.securityfocus.com/bid/103745	Trust: 1.7
url:	https://kb.juniper.net/jsa10856	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0023	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0023	Trust: 0.8
url:	http://www.juniper.net/	Trust: 0.3
url:	https://kb.juniper.net/infocenter/index?page=content&id=jsa10856&cat=sirt_1&actp=list	Trust: 0.3

sources: VULHUB: VHN-118225 // BID: 103745 // JVNDB: JVNDB-2018-004204 // CNNVD: CNNVD-201804-512 // NVD: CVE-2018-0023

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 103745

SOURCES

db:	VULHUB	id:	VHN-118225
db:	BID	id:	103745
db:	JVNDB	id:	JVNDB-2018-004204
db:	CNNVD	id:	CNNVD-201804-512
db:	NVD	id:	CVE-2018-0023

LAST UPDATE DATE

2024-11-23T22:55:54.649000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-118225	date:	2019-10-09T00:00:00
db:	BID	id:	103745	date:	2018-04-11T00:00:00
db:	JVNDB	id:	JVNDB-2018-004204	date:	2018-06-14T00:00:00
db:	CNNVD	id:	CNNVD-201804-512	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-0023	date:	2024-11-21T03:37:22.880

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-118225	date:	2018-04-11T00:00:00
db:	BID	id:	103745	date:	2018-04-11T00:00:00
db:	JVNDB	id:	JVNDB-2018-004204	date:	2018-06-14T00:00:00
db:	CNNVD	id:	CNNVD-201804-512	date:	2018-04-11T00:00:00
db:	NVD	id:	CVE-2018-0023	date:	2018-04-11T19:29:00.697