CWE-236
AllowedImproper Handling of Undefined Parameters
Abstraction: Variant · Status: Draft
The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.
3 vulnerabilities reference this CWE, most recent first.
CVE-2026-57032 (GCVE-0-2026-57032)
Vulnerability from cvelistv5 – Published: 2026-07-09 21:14 – Updated: 2026-07-10 14:34- CWE-236 - Improper Handling of Undefined Parameters
| URL | Tags |
|---|---|
| https://supportportal.juniper.net/JSA110092 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 23.2R2-S7
(custom)
Affected: 23.4 , < 23.4R2-S8 (custom) Affected: 24.2 , < 24.2R2-S5 (custom) Affected: 24.4 , < 24.4R2 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:34:41.285297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:34:50.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"EX3400",
"EX4100",
"EX4400",
"EX2300",
"EX4000"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "23.2R2-S7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "23.4R2-S8",
"status": "affected",
"version": "23.4",
"versionType": "custom"
},
{
"lessThan": "24.2R2-S5",
"status": "affected",
"version": "24.2",
"versionType": "custom"
},
{
"lessThan": "24.4R2",
"status": "affected",
"version": "24.4",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To be exposed to this issue gRPC needs to be enabled via at least one of:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e[ system services http servers ]\u003cbr\u003e[ system services extension-service request-response grpc ]\u003c/tt\u003e"
}
],
"value": "To be exposed to this issue gRPC needs to be enabled via at least one of:\n\n[ system services http servers ]\n[ system services extension-service request-response grpc ]"
}
],
"datePublic": "2026-07-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Handling of Undefined Parameters vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on EX Series devices allows an authenticated attacker with low privileges to cause a Denial-of-Service (DoS).\u003cp\u003e\n\nIf an attempt is made to subscribe to an unsupported telemetry sensor path on EX2300,\u0026nbsp;EX3400,\u0026nbsp;EX4000, EX4100 and EX4400 via gRPC, this causes the FPC to crash. This leads to a complete service outage until the module has automatically restarted.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe following log message can be seen when this issue happens:\u003c/p\u003e\u003ctt\u003eagentd[\u0026lt;PID\u0026gt;]: AGENTD_RESOURCE_NOT_FOUND: No resource name found for \u0026lt;sensor\u0026gt;\u003c/tt\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Junos OS on \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEX2300, EX3400, EX4000, EX4100 and EX4400\u003c/span\u003e\n\ndevices:\u003cbr\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 23.2R2-S7,\u003c/li\u003e\u003cli\u003e23.4 versions before 23.4R2-S8,\u003c/li\u003e\u003cli\u003e24.2 versions before 24.2R2-S5,\u003c/li\u003e\u003cli\u003e24.4 versions before 24.4R2.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "An Improper Handling of Undefined Parameters vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on EX Series devices allows an authenticated attacker with low privileges to cause a Denial-of-Service (DoS).\n\nIf an attempt is made to subscribe to an unsupported telemetry sensor path on EX2300,\u00a0EX3400,\u00a0EX4000, EX4100 and EX4400 via gRPC, this causes the FPC to crash. This leads to a complete service outage until the module has automatically restarted.\u00a0\n\nThe following log message can be seen when this issue happens:\n\nagentd[\u003cPID\u003e]: AGENTD_RESOURCE_NOT_FOUND: No resource name found for \u003csensor\u003e\n\n\nThis issue affects Junos OS on \n\nEX2300, EX3400, EX4000, EX4100 and EX4400\n\ndevices:\n\n\n * all versions before 23.2R2-S7,\n * 23.4 versions before 23.4R2-S8,\n * 24.2 versions before 24.2R2-S5,\n * 24.4 versions before 24.4R2."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-236",
"description": "CWE-236 Improper Handling of Undefined Parameters",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T21:14:11.048Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA110092"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue:\n\nJunos OS: 23.2R2-S7, 23.4R2-S8, 24.2R2-S5, 24.4R2, 25.2R1, and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue:\n\nJunos OS: 23.2R2-S7, 23.4R2-S8, 24.2R2-S5, 24.4R2, 25.2R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA110092",
"defect": [
"1912078"
],
"discovery": "USER"
},
"title": "Junos OS: EX Series: Subscribing to an unsupported telemetry sensor path causes fxpc process crash",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue.\u003cbr\u003eTo reduce the risk of exploitation use access lists or firewall filters to limit access to the device only from trusted hosts and administrators.\u003cbr\u003e"
}
],
"value": "There are no known workarounds for this issue.\nTo reduce the risk of exploitation use access lists or firewall filters to limit access to the device only from trusted hosts and administrators."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2026-57032",
"datePublished": "2026-07-09T21:14:11.048Z",
"dateReserved": "2026-06-23T16:27:00.249Z",
"dateUpdated": "2026-07-10T14:34:50.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-20828 (GCVE-0-2022-20828)
Vulnerability from cvelistv5 – Published: 2022-06-24 15:25 – Updated: 2024-11-01 19:00| URL | Tags |
|---|---|
| https://tools.cisco.com/security/center/content/C… | vendor-advisoryx_refsource_CISCO |
| https://www.rapid7.com/blog/post/2022/08/11/rapid… | x_refsource_MISC |
| http://packetstormsecurity.com/files/168256/Cisco… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Cisco | Cisco FirePOWER Services Software for ASA |
Affected:
n/a
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:24:50.067Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20220622 Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdG"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/168256/Cisco-ASA-X-With-FirePOWER-Services-Authenticated-Command-Injection.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-20828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T18:42:47.498802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T19:00:55.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco FirePOWER Services Software for ASA",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2022-06-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user. This vulnerability is due to improper handling of undefined command parameters. An attacker could exploit this vulnerability by using a crafted command on the CLI or by submitting a crafted HTTPS request to the web-based management interface of the Cisco ASA that is hosting the ASA FirePOWER module. Note: To exploit this vulnerability, the attacker must have administrative access to the Cisco ASA. A user who has administrative access to a particular Cisco ASA is also expected to have administrative access to the ASA FirePOWER module that is hosted by that Cisco ASA."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-236",
"description": "CWE-236",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-05T16:06:12.000Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20220622 Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdG"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/168256/Cisco-ASA-X-With-FirePOWER-Services-Authenticated-Command-Injection.html"
}
],
"source": {
"advisory": "cisco-sa-asasfr-cmd-inject-PE4GfdG",
"defect": [
[
"CSCwb32418"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2022-06-22T23:00:00",
"ID": "CVE-2022-20828",
"STATE": "PUBLIC",
"TITLE": "Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco FirePOWER Services Software for ASA",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user. This vulnerability is due to improper handling of undefined command parameters. An attacker could exploit this vulnerability by using a crafted command on the CLI or by submitting a crafted HTTPS request to the web-based management interface of the Cisco ASA that is hosting the ASA FirePOWER module. Note: To exploit this vulnerability, the attacker must have administrative access to the Cisco ASA. A user who has administrative access to a particular Cisco ASA is also expected to have administrative access to the ASA FirePOWER module that is hosted by that Cisco ASA."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "6.5",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-236"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20220622 Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdG"
},
{
"name": "https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/",
"refsource": "MISC",
"url": "https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/"
},
{
"name": "http://packetstormsecurity.com/files/168256/Cisco-ASA-X-With-FirePOWER-Services-Authenticated-Command-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/168256/Cisco-ASA-X-With-FirePOWER-Services-Authenticated-Command-Injection.html"
}
]
},
"source": {
"advisory": "cisco-sa-asasfr-cmd-inject-PE4GfdG",
"defect": [
[
"CSCwb32418"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2022-20828",
"datePublished": "2022-06-24T15:25:16.277Z",
"dateReserved": "2021-11-02T00:00:00.000Z",
"dateUpdated": "2024-11-01T19:00:55.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-HP6X-WHRH-RG9M
Vulnerability from github – Published: 2026-07-10 00:31 – Updated: 2026-07-10 00:31An Improper Handling of Undefined Parameters vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on EX Series devices allows an authenticated attacker with low privileges to cause a Denial-of-Service (DoS).
If an attempt is made to subscribe to an unsupported telemetry sensor path on EX2300, EX3400, EX4000, EX4100 and EX4400 via gRPC, this causes the FPC to crash. This leads to a complete service outage until the module has automatically restarted.
The following log message can be seen when this issue happens:
agentd[]: AGENTD_RESOURCE_NOT_FOUND: No resource name found for
This issue affects Junos OS on
EX2300, EX3400, EX4000, EX4100 and EX4400
devices:
- all versions before 23.2R2-S7,
- 23.4 versions before 23.4R2-S8,
- 24.2 versions before 24.2R2-S5,
- 24.4 versions before 24.4R2.
{
"affected": [],
"aliases": [
"CVE-2026-57032"
],
"database_specific": {
"cwe_ids": [
"CWE-236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T22:17:09Z",
"severity": "HIGH"
},
"details": "An Improper Handling of Undefined Parameters vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on EX Series devices allows an authenticated attacker with low privileges to cause a Denial-of-Service (DoS).\n\nIf an attempt is made to subscribe to an unsupported telemetry sensor path on EX2300,\u00a0EX3400,\u00a0EX4000, EX4100 and EX4400 via gRPC, this causes the FPC to crash. This leads to a complete service outage until the module has automatically restarted.\u00a0\n\nThe following log message can be seen when this issue happens:\n\nagentd[\u003cPID\u003e]: AGENTD_RESOURCE_NOT_FOUND: No resource name found for \u003csensor\u003e\n\n\nThis issue affects Junos OS on \n\nEX2300, EX3400, EX4000, EX4100 and EX4400\n\ndevices:\n\n\n * all versions before 23.2R2-S7,\n * 23.4 versions before 23.4R2-S8,\n * 24.2 versions before 24.2R2-S5,\n * 24.4 versions before 24.4R2.",
"id": "GHSA-hp6x-whrh-rg9m",
"modified": "2026-07-10T00:31:27Z",
"published": "2026-07-10T00:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57032"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA110092"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.