Contrail Service Orchestration
CVE-2018-0040
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Juniper Networks Contrail Service Orchestrator versions prior to 4.0.0 use hardcoded cryptographic certificates and keys in some cases, which may allow network based attackers to gain unauthorized access to services.
AnalysisAI
Juniper Networks Contrail Service Orchestrator versions prior to 4.0.0 use hardcoded cryptographic certificates and keys in some cases, which may allow network based attackers to gain unauthorized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-321. Juniper Networks Contrail Service Orchestrator versions prior to 4.0.0 use hardcoded cryptographic certificates and keys in some cases, which may allow network based attackers to gain unauthorized access to services. Affected products include: Juniper Contrail Service Orchestration. Version information: prior to 4.0.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Juniper Networks CSO versions prior to 4.0.0 may log passwords in log files leading to an information disclosure vulnera
Juniper Networks Contrail Service Orchestration releases prior to 3.3.0 use hardcoded credentials to access Keystone ser
Juniper Networks Contrail Service Orchestration releases prior to 4.0.0 have Grafana service enabled by default with har
Juniper Networks Contrail Service Orchestration releases prior to 3.3.0 have Cassandra service enabled by default with h
An Incorrect Ownership Assignment vulnerability in Juniper Networks Contrail Service Orchestration (CSO) allows a locall
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today