Juniper Networks, a manufacturer of networking equipment, has released patches for four vulnerabilities that could be combined to allow unauthenticated, remote code execution in the Junos OS J-Web interface.
The bugs have a ‘medium’ severity rating and are tracked as CVE-2023-36844 through CVE-2023-36847. However, Juniper issues a warning about the “critical severity” of their chained exploitation. “By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices,” the company warns.
According to CVE-2023-36844 and CVE-2023-36845, PHP external variable modification flaws could give remote attackers access to environment variables without requiring any authorization.