CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
99.7%
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environment variables.
Using a crafted request an attacker is able to modify
certain PHP environment variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on EX Series:
All versions prior to 20.4R3-S9;
21.1 versions 21.1R1 and later;
21.2 versions prior to 21.2R3-S7;
21.3 versions
prior to
21.3R3-S5;
prior to
21.4R3-S5;
prior to
22.1R3-S4;
prior to
22.2R3-S2;
prior to 22.3R3-S1;
prior to
22.4R2-S2, 22.4R3;
23.2R1-S1, 23.2R2.
Recent assessments:
rbowes-r7 at September 21, 2023 10:12pm UTC reported:
The work done by watchTowr and later VulnCheck is super cool, and outlines different great ways to exploit the vulnerability (we based the Rapid7 Analysis on watchTowrโs). Neither of them mention something sorta-important: all the known exploits land you in a super-restrictive BSD jail with no meaningful OS access.
The application running in the jail has access to configure the system, so presumably thereโs a path from the jail to the OS, but to my knowledge nobody has done much yet. In our analysis, we showed how you could steal an admin session then change the systemโs password, but surely there are better avenues waiting to be found!
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 2
packetstormsecurity.com/files/174397/Juniper-JunOS-SRX-EX-Remote-Code-Execution.html
packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html
attackerkb.com/topics/UWR0Ip24yg/cve-2023-36845
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36844
github.com/r3dcl1ff/CVE-2023-36844_Juniper_RCE
supportportal.juniper.net/JSA72300
vulncheck.com/blog/juniper-cve-2023-36845
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
99.7%