Cyber Resilience

CVE-2023-36847

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 17 August 2023

Published
17 August 2023
Modified
26 February 2026
KEV Added
13 November 2023
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.9387 99.9th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36847 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Juniper Junos. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2023-36847 is a missing authentication for critical function vulnerability (CWE-306) in the J-Web interface of Juniper Networks Junos OS on EX Series switches. An unauthenticated network attacker can reach installAppPackage.php without credentials and upload arbitrary files, producing limited loss of file-system integrity that may be chained to other issues. The flaw affects all releases prior to 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2/22.3R3, and 22.4R2-S1/22.4R3, as well as 21.1R1 and later.

An unauthenticated remote attacker can exploit the flaw over the network by submitting a crafted request to the unauthenticated endpoint, enabling arbitrary file uploads that compromise a portion of the file system. The CVSS 5.3 vector reflects network access, low attack complexity, and no required privileges or user interaction, with impact limited to integrity.

Juniper’s advisory JSA72300 and the CISA Known Exploited Vulnerabilities catalog list the affected releases and direct administrators to install the fixed builds. The EPSS score has reached a peak of 0.9412 with a current value of 0.9387, and the CVE’s presence in the CISA catalog confirms observed in-the-wild exploitation.

EU & UK References

Vulnerability details

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication an…

more

attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S1; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.

CWE(s)
KEV Date Added
13 November 2023

Related Threats

Threat-Actor AttributionAI

UNC4841
UNC4841 exploited the J-Web auth bypass chain including CVE-2023-36847 (Volexity/Mandiant reporting, Aug 2023)

Affected Assets

juniper
junos
20.4, 21.1, 21.2, 21.3, 21.4 · ≤ 20.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication requirements on the installAppPackage.php endpoint so that unauthenticated network requests cannot upload files.

prevent

Requires authentication and authorization for all remote access to the J-Web interface, blocking the unauthenticated file-upload vector.

prevent

Mandates identification and authentication of non-organizational users before any access to management functions such as package installation.

References