CVE-2024-39532

An Insertion of Sensitive Information into Log File vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with high privileges to access sensitive information.

When another user performs a specific operation, sensitive information is stored as plain text in a specific log file, so that a high-privileged attacker has access to this information. This issue affects:

Junos OS:

• All versions before 22.1R2-S2,
• 22.1R3 and later versions,
• 22.2 versions before 22.2R2-S1, 22.2R3,
• 22.3 versions before 22.3R1-S2, 22.3R2;

Junos OS Evolved:

• All versions before before 22.1R3-EVO,
• 22.2-EVO versions before 22.2R2-S1-EVO, 22.2R3-EVO,
• 22.3-EVO versions before 22.3R1-S1-EVO, 22.3R2-EVO.

Weakness

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Extended Description

While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for:

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/215.html

References

• https://supportportal.juniper.net/JSA82992