CVE-2023-36847 - Juniper Junos OS
AI Vulnerability ContextA Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system...
Overview
A source-backed snapshot of this vulnerability.
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.
With a specific request to installAppPackage.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of
integrity
for a certain
part of the file system, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on EX Series:
- All versions prior to 20.4R3-S8;
- 21.1 versions 21.1R1 and later;
- 21.2 versions prior to 21.2R3-S6;
- 21.3 versions
prior to
21.3R3-S5;
- 21.4 versions
prior to
21.4R3-S4;
- 22.1 versions
prior to
22.1R3-S3;
- 22.2 versions
prior to
22.2R3-S1;
- 22.3 versions
prior to
22.3R2-S2, 22.3R3;
- 22.4 versions
prior to
22.4R2-S1, 22.4R3.
Vulnerability status
How serious this vulnerability is and whether it is known to be exploited.
- CVE ID
- CVE-2023-36847
- Vendor/project
- Juniper
- Product
- Junos OS
- Vulnerability name
- Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability
- Date added
- 2023-11-13
- Due date
- 2023-11-17
- Known ransomware campaign use
- Unknown
- CVSS v3
- 5.3
Exploit context
What the vulnerability is about.
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.
With a specific request to installAppPackage.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of
integrity
for a certain
part of the file system, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on EX Series:
- All versions prior to 20.4R3-S8;
- 21.1 versions 21.1R1 and later;
- 21.2 versions prior to 21.2R3-S6;
- 21.3 versions
prior to
21.3R3-S5;
- 21.4 versions
prior to
21.4R3-S4;
- 22.1 versions
prior to
22.1R3-S3;
- 22.2 versions
prior to
22.2R3-S1;
- 22.3 versions
prior to
22.3R2-S2, 22.3R3;
- 22.4 versions
prior to
22.4R2-S1, 22.4R3.
Source evidence
Original public records and references for this page.
Original source
Original source links
Open the public records and source datasets used for this page.
