CVE Vulnerability

CVE-2019-0015

A vulnerability in the SRX Series Service Gateway allows deleted dynamic VPN users to establish dynamic VPN connections until the device is rebooted. A deleted dynamic VPN connection should be immediately disallowed from establishing new VPN connections. Due to an error in token caching, deleted users are allowed to connect once a previously successful dynamic VPN connection has been established. A reboot is required to clear the cached authentication token. Affected releases are Junos OS on SRX Series: 12.3X48 versions prior to 12.3X48-D75; 15.1X49 versions prior to 15.1X49-D150; 17.3 versions prior to 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2.

5.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

5.4 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://kb.juniper.net/JSA10915 Vendor Advisory
http://www.securityfocus.com/bid/106668 Third Party Advisory VDB Entry
Configurations

Configuration 1
Information

Published : 2019-01-15 09:29

Updated : 2021-11-09 09:22

NVD link : CVE-2019-0015

Mitre link : CVE-2019-0015

Products Affected

Juniper

Junos

Srx100

Srx110

Srx1400

Srx1500

Srx210

Srx220

Srx240

Srx300

Srx320

Srx340

Srx3400

Srx345

Srx3600

Srx380

Srx4000

Srx4100

Srx5400

Srx550

Srx5600

Srx5800

Srx650

CWE
CWE-613