VYPR
Unrated severityCISA KEVNVD Advisory· Published Sep 26, 2023· Updated Oct 21, 2025

Junos OS: SRX Series: A vulnerability in J-Web allows an unauthenticated attacker to upload and download arbitrary files

CVE-2023-36851

Description

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.

With a specific request to

webauth_operation.php

that doesn't require authentication, an attacker is able to upload and download arbitrary files via J-Web, leading to a loss of

integrity or confidentiality, which may allow chaining to other vulnerabilities.

This issue affects Juniper Networks Junos OS on SRX Series:

*

21.2 versions prior to 21.2R3-S8; * 21.4

versions prior to

21.4R3-S6; * 22.1

versions prior to

22.1R3-S5; * 22.2

versions prior to

22.2R3-S3; * 22.3

versions prior to

22.3R3-S2; * 22.4 versions prior to 22,4R2-S2, 22.4R3; * 23.2 versions prior to

23.2R1-S2, 23.2R2.

Affected products

2
  • Juniper Networks/Junosllm-fuzzy2 versions
    21.2 before 21.2R3-S8 || 21.4 before 21.4R3-S6 || 22.1 before 22.1R3-S5 || 22.2 before 22.2R3-S3 || 22.3 before 22.3R3-S2 || 22.4 before 22.4R2-S2,22.4R3 || 23.2 before 23.2R1-S2,23.2R2+ 1 more
    • (no CPE)range: 21.2 before 21.2R3-S8 || 21.4 before 21.4R3-S6 || 22.1 before 22.1R3-S5 || 22.2 before 22.2R3-S3 || 22.3 before 22.3R3-S2 || 22.4 before 22.4R2-S2,22.4R3 || 23.2 before 23.2R1-S2,23.2R2
    • (no CPE)range: 21.2

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.