⚠ Actively exploited
Added to CISA KEV on 2023-11-13. Federal agencies required to patch by 2023-11-17. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..
CVE-2023-36844 — PHP External Variable Modification in Networks Junos OS
Severity
5.3MEDIUMNVD
EPSS
94.3%
top 0.05%
CISA KEV
KEV
Added 2023-11-13
Due 2023-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedAug 17
KEV addedNov 13
KEV dueNov 17
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environment variables.
Using a crafted request an attacker is able to modify
certain PHP environment variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on EX Series:
* All versions prior to 20.4R3-S9;
* 21.1 versions 21.1…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages2 packages
🔴Vulnerability Details
3GHSA▶
GHSA-f2v8-3pfh-v3xm: A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacke↗2023-08-17
CVEList▶
Junos OS: EX Series: A PHP vulnerability in J-Web allows an unauthenticated attacker to control important environment variables↗2023-08-17
💥Exploits & PoCs
1Nuclei▶
Juniper Devices - Remote Code Execution