Cyber Resilience

CVE-2023-36851

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 27 September 2023

Published
27 September 2023
Modified
26 February 2026
KEV Added
13 November 2023
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.1495 94.7th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36851 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Juniper Junos. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2023-36851 is a missing authentication for critical function vulnerability (CWE-306) affecting Juniper Networks Junos OS on SRX Series devices. The flaw resides in the J-Web interface and permits an unauthenticated network attacker to reach the script webauth_operation.php, which lacks any access control. Affected releases include all 21.2 versions prior to 21.2R3-S8, 21.4 versions prior to 21.4R3-S6, 22.1 versions prior to 22.1R3-S5, 22.2 versions prior to 22.2R3-S3, 22.3 versions prior to 22.3R3-S2, 22.4 versions prior to 22.4R2-S2 and 22.4R3, and 23.2 versions prior to 23.2R1-S2 and 23.2R2. The CVSS 3.1 base score is 5.3.

An unauthenticated remote attacker can send a crafted request to webauth_operation.php to upload or download arbitrary files on the device file system. The action results in limited integrity and confidentiality impact and may be chained with other vulnerabilities to expand access.

The vendor advisory JSA72300 lists the fixed releases above and is referenced by CISA in its Known Exploited Vulnerabilities catalog, confirming that exploitation has been observed in the wild. The associated EPSS score has reached a peak of 0.1563.

EU & UK References

Vulnerability details

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to webauth_operation.php that doesn't require authentication, an…

more

attacker is able to upload and download arbitrary files via J-Web, leading to a loss of integrity or confidentiality, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * 21.2 versions prior to 21.2R3-S8; * 21.4 versions prior to 21.4R3-S6; * 22.1 versions prior to 22.1R3-S5; * 22.2 versions prior to 22.2R3-S3; * 22.3 versions prior to 22.3R3-S2; * 22.4 versions prior to 22,4R2-S2, 22.4R3; * 23.2 versions prior to 23.2R1-S2, 23.2R2.

CWE(s)
KEV Date Added
13 November 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

juniper
junos
21.2, 21.4, 22.1, 22.2, 22.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks before permitting any access to critical functions such as webauth_operation.php file upload/download.

prevent

Requires successful identification and authentication of users prior to granting access to the J-Web management interface on SRX devices.

AC-17 Remote Access partial match
prevent

Establishes usage restrictions and authentication requirements for all network-based remote access to the device management plane.

References