CVE-2021-0296 — HIGH (7.4) — White Hats Nepal

Vulnerability Description

The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header which allows servers to indicate that content from the requested domain will only be served over HTTPS. The lack of HSTS may leave the system vulnerable to downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. This issue affects Juniper Networks CTPView: 7.3 versions prior to 7.3R7; 9.1 versions prior to 9.1R3.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Juniper	Ctpview	7.3

Related Weaknesses (CWE)

CWE-319

References

https://kb.juniper.net/JSA11210Vendor Advisory
https://kb.juniper.net/JSA11210Vendor Advisory

FAQ

What is CVE-2021-0296?

CVE-2021-0296 is a vulnerability with a CVSS score of 7.4 (HIGH). The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header which allows servers to indicate that content from the requested domain ...

How severe is CVE-2021-0296?

CVE-2021-0296 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-0296?

Check the references section above for vendor advisories and patch information. Affected products include: Juniper Ctpview.