CVE-2023-36847 — MEDIUM (5.3)

Q: How severe is CVE-2023-36847?

CVE-2023-36847 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-36847?

Check the references section above for vendor advisories and patch information. Affected products include: Juniper Junos, Juniper Ex2200, Juniper Ex2200-C, Juniper Ex2200-Vc, Juniper Ex2300.

Vulnerability Description

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S1; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Juniper	Junos	< 20.4
Juniper	Ex2200	-
Juniper	Ex2200-C	-
Juniper	Ex2200-Vc	-
Juniper	Ex2300	-
Juniper	Ex2300-24Mp	-
Juniper	Ex2300-24P	-
Juniper	Ex2300-24T	-
Juniper	Ex2300-48Mp	-
Juniper	Ex2300-48P	-
Juniper	Ex2300-48T	-
Juniper	Ex2300-C	-
Juniper	Ex2300M	-
Juniper	Ex3200	-
Juniper	Ex3300	-
Juniper	Ex3300-Vc	-
Juniper	Ex3400	-
Juniper	Ex4200	-
Juniper	Ex4200-Vc	-
Juniper	Ex4300	-

Related Weaknesses (CWE)

CWE-306

References

https://supportportal.juniper.net/JSA72300Vendor Advisory
https://supportportal.juniper.net/JSA72300Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-US Government Resource

FAQ

What is CVE-2023-36847?

CVE-2023-36847 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system inte...

How severe is CVE-2023-36847?

CVE-2023-36847 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-36847?

Check the references section above for vendor advisories and patch information. Affected products include: Juniper Junos, Juniper Ex2200, Juniper Ex2200-C, Juniper Ex2200-Vc, Juniper Ex2300.