Juniper PAA Control Center 3.x Improper Access Control (unauth report exfil)
CVE-2024-21589 Published on January 12, 2024
Paragon Active Assurance Control Center: Information disclosure vulnerability
An Improper Access Control vulnerability in the Juniper Networks Paragon Active Assurance Control Center allows an unauthenticated network-based attacker to access reports without authenticating, potentially containing sensitive configuration information.
A feature was introduced in version 3.1.0 of the Paragon Active Assurance Control Center which allows users to selectively share account data. By exploiting this vulnerability, it is possible to access reports without being logged in, resulting in the opportunity for malicious exfiltration of user data.
Note that the Paragon Active Assurance Control Center SaaS offering is not affected by this issue.
This issue affects Juniper Networks Paragon Active Assurance versions 3.1.0, 3.2.0, 3.2.2, 3.3.0, 3.3.1, 3.4.0.
This issue does not affect Juniper Networks Paragon Active Assurance versions earlier than 3.1.0.
Vulnerability Analysis
CVE-2024-21589 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Timeline
Initial Publication
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2024-21589 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2024-21589
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-21589 are published in Juniper Networks Paragon Active Assurance Control Center:
Affected Versions
Juniper Networks Paragon Active Assurance:- Before 3.1.0 is unaffected.
- Version 3.2.0 and below 3.2.* is affected.
- Version 3.2.2 and below 3.2.* is affected.
- Version 3.3.0 and below 3.3.* is affected.
- Version 3.3.1 and below 3.3.* is affected.
- Version 3.4.0 and below 3.4.* is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.