CVE DATABASE / CVE-2023-36847
CVE-2023-36847
Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability
Confirmed exploited in the wild. Added 2023-11-13.
Federal remediation due 2023-11-17.
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Summary
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.With a specific request to installAppPackage.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss ofintegrityfor a certainpart of the file system, which may allow chaining to other vulnerabilities.This issue affects Juniper Networks Junos OS on EX Series:* All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versionsprior to21.3R3-S5; * 21.4 versionsprior to21.4R3-S4; * 22.1 versionsprior to22.1R3-S3; * 22.2 versionsprior to22.2R3-S1; * 22.3 versionsprior to22.3R2-S2, 22.3R3; * 22.4 versionsprior to22.4R2-S1, 22.4R3.
CVSS 3.1 breakdown
| Base score | 5.3 (MEDIUM) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity | LOW |
| Availability | NONE |
Weakness type (CWE)
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://supportportal.juniper.net/JSA72300
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-36847
Data: NIST NVD + CISA KEV. NVD last modified 2026-02-26. Always verify against the vendor advisory before acting.