CVE-2019-0039: If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. The high default connection limit of the REST API may al...

Description

If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. The high default connection limit of the REST API may allow an attacker to brute-force passwords using advanced scripting techniques. Additionally, administrators who do not enforce a strong password policy can increase the likelihood of success from brute force attacks. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D495, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S1; 18.2 versions prior to 18.2R1-S5; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R1-S1.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.29%

66.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Juniper	Junos	>= 14.1x53, < 14.1x53-d49
Juniper	Junos	>= 15.1, < 15.1f6-s12
Juniper	Junos	>= 15.1x49, < 15.1x49-d160
Juniper	Junos	>= 15.1x53, < 15.1x53-d236
Juniper	Junos	>= 16.1, < 16.1r3-s10
Juniper	Junos	>= 16.1x65, < 16.1x65-d49
Juniper	Junos	>= 16.2, < 16.2r2-s7
Juniper	Junos	>= 17.1, < 17.1r2-s10
Juniper	Junos	>= 17.2, < 17.2r1-s8
Juniper	Junos	>= 17.3, < 17.3r3-s2
Juniper	Junos	>= 17.4, < 17.4r1-s6
Juniper	Junos	>= 18.1, < 18.1r2-s4
Juniper	Junos	>= 18.2, < 18.2r1-s5
Juniper	Junos	>= 18.2x75, < 18.2x75-d30
Juniper	Junos	>= 18.3, < 18.3r1-s1

References

http://www.securityfocus.com/bid/107899Broken Link, Third Party Advisory, VDB Entry
https://kb.juniper.net/JSA10928Mitigation, Vendor Advisory
http://www.securityfocus.com/bid/107899Broken Link, Third Party Advisory, VDB Entry
https://kb.juniper.net/JSA10928Mitigation, Vendor Advisory

Timeline

Published: Apr 10, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-0039?

If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. The high default connection limit of the REST API may allow an attacker to brute-force passwords using advanced scripting techniques. Additionally, administrators who do not enforce a strong password policy can increase the likelihood of success from brute force attacks. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D495, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S1; 18.2 versions prior to 18.2R1-S5; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R1-S1.

How severe is CVE-2019-0039?

CVE-2019-0039 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 1.29% probability of exploitation in the next 30 days.

How do I fix CVE-2019-0039?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.