VYPR
Unrated severityCISA KEVNVD Advisory· Published Aug 17, 2023· Updated Oct 21, 2025

Junos OS: SRX Series: A vulnerability in J-Web allows an unauthenticated attacker to upload arbitrary files

CVE-2023-36846

Description

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.

With a specific request to user.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of

integrity

for a certain

part of the file system, which may allow chaining to other vulnerabilities.

This issue affects Juniper Networks Junos OS on SRX Series:

  • All versions prior to 20.4R3-S8;
  • 21.1 versions 21.1R1 and later;
  • 21.2 versions prior to 21.2R3-S6;
  • 21.3 versions

prior to

21.3R3-S5; * 21.4 versions

prior to

21.4R3-S5; * 22.1 versions

prior to

22.1R3-S3; * 22.2 versions

prior to

22.2R3-S2; * 22.3 versions

prior to

22.3R2-S2, 22.3R3; * 22.4 versions

prior to

22.4R2-S1, 22.4R3.

Affected products

2
  • Juniper Networks/Junosllm-fuzzy2 versions
    <20.4R3-S8 for 20.4, >=21.1R1 for 21.1, <21.2R3-S6 for 21.2, <21.3R3-S5 for 21.3, <21.4R3-S5 for 21.4, <22.1R3-S3 for 22.1, <22.2R3-S2 for 22.2, <22.3R2-S2 or 22.3R3 for 22.3, <22.4R2-S1 or 22.4R3 for 22.4+ 1 more
    • (no CPE)range: <20.4R3-S8 for 20.4, >=21.1R1 for 21.1, <21.2R3-S6 for 21.2, <21.3R3-S5 for 21.3, <21.4R3-S5 for 21.4, <22.1R3-S3 for 22.1, <22.2R3-S2 for 22.2, <22.3R2-S2 or 22.3R3 for 22.3, <22.4R2-S1 or 22.4R3 for 22.4
    • (no CPE)range: 0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.