Vulnerabilites related to jumpserver - jumpserver
cve-2023-46138
Vulnerability from cvelistv5
Published
2023-10-30 23:53
Modified
2024-09-05 20:17
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is `admin[@]mycompany[.]com`, and users reset their passwords by sending an email. Currently, the domain `mycompany.com` has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to `example.com`. Those who cannot upgrade may change the default email domain to `example.com` manually.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq | x_refsource_CONFIRM | |
| https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: < 3.8.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T20:37:39.378Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq", }, { name: "https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-46138", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-05T20:17:08.084202Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-05T20:17:16.984Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: "< 3.8.0", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is `admin[@]mycompany[.]com`, and users reset their passwords by sending an email. Currently, the domain `mycompany.com` has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to `example.com`. Those who cannot upgrade may change the default email domain to `example.com` manually.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-640", description: "CWE-640: Weak Password Recovery Mechanism for Forgotten Password", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-10-30T23:53:15.101Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq", }, { name: "https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88", tags: [ "x_refsource_MISC", ], url: "https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88", }, ], source: { advisory: "GHSA-9mrc-75cv-46cq", discovery: "UNKNOWN", }, title: "JumpServer default admin user email leak password reset", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-46138", datePublished: "2023-10-30T23:53:15.101Z", dateReserved: "2023-10-16T17:51:35.574Z", dateUpdated: "2024-09-05T20:17:16.984Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-42820
Vulnerability from cvelistv5
Published
2023-09-26 20:35
Modified
2024-09-23 20:26
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host. This vulnerability is due to exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled users are not affect. Users not using local authentication are also not affected. Users are advised to upgrade to either version 2.28.19 or to 3.6.5. There are no known workarounds or this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7prv-g565-82qp | x_refsource_CONFIRM | |
| https://github.com/jumpserver/jumpserver/commit/42337f0d00b2a8d45ef063eb5b7deeef81597da5 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 2.24, < 2.28.19 Version: >= 3.0.0, < 3.6.5 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T19:30:24.658Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7prv-g565-82qp", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7prv-g565-82qp", }, { name: "https://github.com/jumpserver/jumpserver/commit/42337f0d00b2a8d45ef063eb5b7deeef81597da5", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/commit/42337f0d00b2a8d45ef063eb5b7deeef81597da5", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-42820", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-23T20:26:48.881987Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-23T20:26:58.683Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 2.24, < 2.28.19", }, { status: "affected", version: ">= 3.0.0, < 3.6.5", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host. This vulnerability is due to exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled users are not affect. Users not using local authentication are also not affected. Users are advised to upgrade to either version 2.28.19 or to 3.6.5. There are no known workarounds or this issue.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-26T20:35:47.345Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7prv-g565-82qp", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7prv-g565-82qp", }, { name: "https://github.com/jumpserver/jumpserver/commit/42337f0d00b2a8d45ef063eb5b7deeef81597da5", tags: [ "x_refsource_MISC", ], url: "https://github.com/jumpserver/jumpserver/commit/42337f0d00b2a8d45ef063eb5b7deeef81597da5", }, ], source: { advisory: "GHSA-7prv-g565-82qp", discovery: "UNKNOWN", }, title: "Random seed leakage in Jumpserver", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-42820", datePublished: "2023-09-26T20:35:22.853Z", dateReserved: "2023-09-14T16:13:33.310Z", dateUpdated: "2024-09-23T20:26:58.683Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-46123
Vulnerability from cvelistv5
Published
2023-10-25 00:13
Modified
2025-03-25 19:30
Severity ?
EPSS score ?
Summary
jumpserver is an open source bastion machine, professional operation and maintenance security audit system that complies with 4A specifications. A flaw in the Core API allows attackers to bypass password brute-force protections by spoofing arbitrary IP addresses. By exploiting this vulnerability, attackers can effectively make unlimited password attempts by altering their apparent IP address for each request. This vulnerability has been patched in version 3.8.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-hvw4-766m-p89f | x_refsource_CONFIRM | |
| https://github.com/jumpserver/jumpserver/releases/tag/v3.8.0 | x_refsource_MISC | |
| https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: < 3.8.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T20:37:39.404Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-hvw4-766m-p89f", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-hvw4-766m-p89f", }, { name: "https://github.com/jumpserver/jumpserver/releases/tag/v3.8.0", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/releases/tag/v3.8.0", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jumpserver", vendor: "jumpserver", versions: [ { lessThan: "3.8.0", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-46123", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T15:28:39.510704Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-10T15:54:12.624Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: "< 3.8.0", }, ], }, ], descriptions: [ { lang: "en", value: "jumpserver is an open source bastion machine, professional operation and maintenance security audit system that complies with 4A specifications. A flaw in the Core API allows attackers to bypass password brute-force protections by spoofing arbitrary IP addresses. By exploiting this vulnerability, attackers can effectively make unlimited password attempts by altering their apparent IP address for each request. This vulnerability has been patched in version 3.8.0.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-307", description: "CWE-307: Improper Restriction of Excessive Authentication Attempts", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-25T19:30:48.886Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-hvw4-766m-p89f", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-hvw4-766m-p89f", }, { name: "https://github.com/jumpserver/jumpserver/releases/tag/v3.8.0", tags: [ "x_refsource_MISC", ], url: "https://github.com/jumpserver/jumpserver/releases/tag/v3.8.0", }, { name: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2", tags: [ "x_refsource_MISC", ], url: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2", }, ], source: { advisory: "GHSA-hvw4-766m-p89f", discovery: "UNKNOWN", }, title: "jumpserver is vulnerable to password brute-force protection bypass via arbitrary IP values", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-46123", datePublished: "2023-10-25T00:13:00.565Z", dateReserved: "2023-10-16T17:51:35.571Z", dateUpdated: "2025-03-25T19:30:48.886Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-29201
Vulnerability from cvelistv5
Published
2024-03-29 14:57
Modified
2025-03-25 19:38
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can bypass the input validation mechanism in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj | x_refsource_CONFIRM | |
| https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 3.0.0, <= 3.10.6 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:fit2cloud:jumpserver:3.0.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jumpserver", vendor: "fit2cloud", versions: [ { lessThanOrEqual: "3.10.6", status: "affected", version: "3.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-29201", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-03-29T15:37:01.900006Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-20T18:04:08.370Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T01:10:54.456Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 3.0.0, <= 3.10.6", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can bypass the input validation mechanism in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 10, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94: Improper Control of Generation of Code ('Code Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-25T19:38:50.208Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj", }, { name: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2", tags: [ "x_refsource_MISC", ], url: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2", }, ], source: { advisory: "GHSA-pjpp-cm9x-6rwj", discovery: "UNKNOWN", }, title: "JumpServer's insecure Ansible playbook validation leads to RCE in Celery", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-29201", datePublished: "2024-03-29T14:57:40.323Z", dateReserved: "2024-03-18T17:07:00.096Z", dateUpdated: "2025-03-25T19:38:50.208Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-43650
Vulnerability from cvelistv5
Published
2023-09-27 18:33
Modified
2025-03-25 19:24
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code, ranging from 000000 to 999999, to facilitate the password reset. Although the code is only available in 1 minute, this window potentially allows for up to 1,000,000 validation attempts. This issue has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-mwx4-8fwc-2xvw | x_refsource_CONFIRM | |
| https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 2.0.0, < 2.28.20 Version: >= 3.0.0, < 3.7.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T19:44:43.734Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-mwx4-8fwc-2xvw", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-mwx4-8fwc-2xvw", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jumpserver", vendor: "jumpserver", versions: [ { lessThan: "2.28.20", status: "affected", version: "2.0.0", versionType: "custom", }, { lessThan: "3.7.1", status: "affected", version: "3.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-43650", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-23T18:52:48.677132Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-23T19:06:26.375Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 2.0.0, < 2.28.20", }, { status: "affected", version: ">= 3.0.0, < 3.7.1", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code, ranging from 000000 to 999999, to facilitate the password reset. Although the code is only available in 1 minute, this window potentially allows for up to 1,000,000 validation attempts. This issue has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-640", description: "CWE-640: Weak Password Recovery Mechanism for Forgotten Password", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-25T19:24:24.277Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-mwx4-8fwc-2xvw", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-mwx4-8fwc-2xvw", }, { name: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2", tags: [ "x_refsource_MISC", ], url: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2", }, ], source: { advisory: "GHSA-mwx4-8fwc-2xvw", discovery: "UNKNOWN", }, title: "Non-MFA account takeover via brute-force attack on weak password reset code in jumpserver", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-43650", datePublished: "2023-09-27T18:33:46.034Z", dateReserved: "2023-09-20T15:35:38.147Z", dateUpdated: "2025-03-25T19:24:24.277Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-24763
Vulnerability from cvelistv5
Published
2024-02-20 17:35
Modified
2024-08-01 23:28
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to version 3.10.0, attackers can exploit this vulnerability to construct malicious links, leading users to click on them, thereby facilitating phishing attacks or cross-site scripting attacks. Version 3.10.0 contains a patch for this issue. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5 | x_refsource_CONFIRM | |
| https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: < 3.10.0 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-24763", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-02-22T16:48:50.372212Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:43:21.712Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:28:11.975Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5", }, { name: "https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: "< 3.10.0", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to version 3.10.0, attackers can exploit this vulnerability to construct malicious links, leading users to click on them, thereby facilitating phishing attacks or cross-site scripting attacks. Version 3.10.0 contains a patch for this issue. No known workarounds are available.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-601", description: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-20T17:35:08.825Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5", }, { name: "https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0", tags: [ "x_refsource_MISC", ], url: "https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0", }, ], source: { advisory: "GHSA-p2mq-cm25-g4m5", discovery: "UNKNOWN", }, title: "JumpServer Open Redirect Vulnerability", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-24763", datePublished: "2024-02-20T17:35:08.825Z", dateReserved: "2024-01-29T20:51:26.011Z", dateUpdated: "2024-08-01T23:28:11.975Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40629
Vulnerability from cvelistv5
Published
2024-07-18 17:04
Modified
2025-03-25 19:59
Severity ?
EPSS score ?
Summary
JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the Ansible playbook to write arbitrary files, leading to remote code execution (RCE) in the Celery container. The Celery container runs as root and has database access, allowing an attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been patched in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v | x_refsource_CONFIRM | |
| https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 3.0.0, < 3.10.12 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jumpserver", vendor: "jumpserver", versions: [ { lessThan: "3.10.12", status: "affected", version: "3.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-40629", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-18T18:35:30.424372Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-18T18:40:01.466Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T04:33:11.826Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 3.0.0, < 3.10.12", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the Ansible playbook to write arbitrary files, leading to remote code execution (RCE) in the Celery container. The Celery container runs as root and has database access, allowing an attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been patched in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There are no known workarounds for this vulnerability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 10, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-25T19:59:14.014Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v", }, { name: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2", tags: [ "x_refsource_MISC", ], url: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2", }, ], source: { advisory: "GHSA-3wgp-q8m7-v33v", discovery: "UNKNOWN", }, title: "Arbitrary File Write in Ansible Playbooks leads to RCE in Jumpserver", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-40629", datePublished: "2024-07-18T17:04:10.251Z", dateReserved: "2024-07-08T16:13:15.510Z", dateUpdated: "2025-03-25T19:59:14.014Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-42819
Vulnerability from cvelistv5
Published
2023-09-26 20:40
Modified
2024-09-23 20:26
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host. Logged-in users can access and modify the contents of any file on the system. A user can use the 'Job-Template' menu and create a playbook named 'test'. Get the playbook id from the detail page, like 'e0adabef-c38f-492d-bd92-832bacc3df5f'. An attacker can exploit the directory traversal flaw using the provided URL to access and retrieve the contents of the file. `https://jumpserver-ip/api/v1/ops/playbook/e0adabef-c38f-492d-bd92-832bacc3df5f/file/?key=../../../../../../../etc/passwd` a similar method to modify the file content is also present. This issue has been addressed in version 3.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-ghg2-2whp-6m33 | x_refsource_CONFIRM | |
| https://github.com/jumpserver/jumpserver/commit/d0321a74f1713d031560341c8fd0a1859e6510d8 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 3.0.0, < 3.6.5 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T19:30:24.783Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-ghg2-2whp-6m33", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-ghg2-2whp-6m33", }, { name: "https://github.com/jumpserver/jumpserver/commit/d0321a74f1713d031560341c8fd0a1859e6510d8", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/commit/d0321a74f1713d031560341c8fd0a1859e6510d8", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-42819", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-23T20:25:44.503547Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-23T20:26:00.445Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 3.0.0, < 3.6.5", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host. Logged-in users can access and modify the contents of any file on the system. A user can use the 'Job-Template' menu and create a playbook named 'test'. Get the playbook id from the detail page, like 'e0adabef-c38f-492d-bd92-832bacc3df5f'. An attacker can exploit the directory traversal flaw using the provided URL to access and retrieve the contents of the file. `https://jumpserver-ip/api/v1/ops/playbook/e0adabef-c38f-492d-bd92-832bacc3df5f/file/?key=../../../../../../../etc/passwd` a similar method to modify the file content is also present. This issue has been addressed in version 3.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.9, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-26T20:40:41.578Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-ghg2-2whp-6m33", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-ghg2-2whp-6m33", }, { name: "https://github.com/jumpserver/jumpserver/commit/d0321a74f1713d031560341c8fd0a1859e6510d8", tags: [ "x_refsource_MISC", ], url: "https://github.com/jumpserver/jumpserver/commit/d0321a74f1713d031560341c8fd0a1859e6510d8", }, ], source: { advisory: "GHSA-ghg2-2whp-6m33", discovery: "UNKNOWN", }, title: "Path traversal in Jumpserver", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-42819", datePublished: "2023-09-26T20:40:41.578Z", dateReserved: "2023-09-14T16:13:33.309Z", dateUpdated: "2024-09-23T20:26:00.445Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-29020
Vulnerability from cvelistv5
Published
2024-03-29 14:46
Modified
2024-08-02 01:03
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. An authorized attacker can obtain sensitive information contained within playbook files if they manage to learn the playbook_id of another user. This breach of confidentiality can lead to information disclosure and exposing sensitive data. This vulnerability is fixed in v3.10.6.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 3.0.0, <= 3.10.5 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:fit2cloud:jumpserver:3.0.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jumpserver", vendor: "fit2cloud", versions: [ { lessThanOrEqual: "3.10.5", status: "affected", version: "3.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-29020", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-03-29T17:56:16.136001Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-20T18:06:37.056Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T01:03:51.654Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 3.0.0, <= 3.10.5", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host and an operation and maintenance security audit system. An authorized attacker can obtain sensitive information contained within playbook files if they manage to learn the playbook_id of another user. This breach of confidentiality can lead to information disclosure and exposing sensitive data. This vulnerability is fixed in v3.10.6.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.6, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-639", description: "CWE-639: Authorization Bypass Through User-Controlled Key", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-03-29T14:46:00.417Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62", }, ], source: { advisory: "GHSA-7mqc-23hr-cr62", discovery: "UNKNOWN", }, title: "JumpServer allows nn authorized attacker to get sensitive information in playbook files when playbook_id is leaked", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-29020", datePublished: "2024-03-29T14:46:00.417Z", dateReserved: "2024-03-14T16:59:47.610Z", dateUpdated: "2024-08-02T01:03:51.654Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-43651
Vulnerability from cvelistv5
Published
2023-09-27 20:24
Modified
2025-03-25 19:35
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host. An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the system. Through the WEB CLI interface provided by the koko component, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands. This vulnerability has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96 | x_refsource_CONFIRM | |
| https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 2.0.0, < 2.28.20 Version: >= 3.0.0, < 3.7.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T19:44:44.252Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jumpserver", vendor: "jumpserver", versions: [ { lessThan: "2.28.20", status: "affected", version: "2.0.0", versionType: "custom", }, { lessThan: "3.7.1", status: "affected", version: "3.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-43651", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-23T18:52:32.591264Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-23T19:03:07.331Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 2.0.0, < 2.28.20", }, { status: "affected", version: ">= 3.0.0, < 3.7.1", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host. An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the system. Through the WEB CLI interface provided by the koko component, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands. This vulnerability has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94: Improper Control of Generation of Code ('Code Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-25T19:35:30.016Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96", }, { name: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2", tags: [ "x_refsource_MISC", ], url: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2", }, ], source: { advisory: "GHSA-4r5x-x283-wm96", discovery: "UNKNOWN", }, title: "Remote code execution on the host system via MongoDB shell in jumpserver", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-43651", datePublished: "2023-09-27T20:24:08.733Z", dateReserved: "2023-09-20T15:35:38.147Z", dateUpdated: "2025-03-25T19:35:30.016Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-43652
Vulnerability from cvelistv5
Published
2023-09-27 18:31
Modified
2025-03-25 19:27
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host. As an unauthenticated user, it is possible to authenticate to the core API with a username and an SSH public key without needing a password or the corresponding SSH private key. An SSH public key should be considered public knowledge and should not used as an authentication secret alone. JumpServer provides an API for the KoKo component to validate user private key logins. This API does not verify the source of requests and will generate a personal authentication token. Given that public keys can be easily leaked, an attacker can exploit the leaked public key and username to authenticate, subsequently gaining access to the current user's information and authorized actions. This issue has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-fr8h-xh5x-r8g9 | x_refsource_CONFIRM | |
| https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 2.0.0, < 2.28.20 Version: >= 3.0.0, < 3.7.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T19:44:43.828Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-fr8h-xh5x-r8g9", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-fr8h-xh5x-r8g9", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jumpserver", vendor: "jumpserver", versions: [ { lessThan: "2.28.20", status: "affected", version: "2.0.0", versionType: "custom", }, { lessThan: "3.7.1", status: "affected", version: "3.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-43652", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-23T18:53:06.002007Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-23T19:07:28.412Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 2.0.0, < 2.28.20", }, { status: "affected", version: ">= 3.0.0, < 3.7.1", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host. As an unauthenticated user, it is possible to authenticate to the core API with a username and an SSH public key without needing a password or the corresponding SSH private key. An SSH public key should be considered public knowledge and should not used as an authentication secret alone. JumpServer provides an API for the KoKo component to validate user private key logins. This API does not verify the source of requests and will generate a personal authentication token. Given that public keys can be easily leaked, an attacker can exploit the leaked public key and username to authenticate, subsequently gaining access to the current user's information and authorized actions. This issue has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862: Missing Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-25T19:27:03.036Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-fr8h-xh5x-r8g9", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-fr8h-xh5x-r8g9", }, { name: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2", tags: [ "x_refsource_MISC", ], url: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2", }, ], source: { advisory: "GHSA-fr8h-xh5x-r8g9", discovery: "UNKNOWN", }, title: "Non-MFA account takeover via using only SSH public key to login in jumpserver", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-43652", datePublished: "2023-09-27T18:31:41.320Z", dateReserved: "2023-09-20T15:35:38.147Z", dateUpdated: "2025-03-25T19:27:03.036Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-27095
Vulnerability from cvelistv5
Published
2025-03-31 15:08
Modified
2025-03-31 18:53
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to 4.8.0 and 3.10.18, an attacker with a low-privileged account can access the Kubernetes session feature and manipulate the kubeconfig file to redirect API requests to an external server controlled by the attacker. This allows the attacker to intercept and capture the Kubernetes cluster token. This can potentially allow unauthorized access to the cluster and compromise its security. This vulnerability is fixed in 4.8.0 and 3.10.18.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-5q9w-f4wh-f535 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: < 3.10.18 Version: >= 4.0.0, < 4.8.0 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-27095", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-31T16:29:58.766715Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-31T18:53:50.455Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: "< 3.10.18", }, { status: "affected", version: ">= 4.0.0, < 4.8.0", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to 4.8.0 and 3.10.18, an attacker with a low-privileged account can access the Kubernetes session feature and manipulate the kubeconfig file to redirect API requests to an external server controlled by the attacker. This allows the attacker to intercept and capture the Kubernetes cluster token. This can potentially allow unauthorized access to the cluster and compromise its security. This vulnerability is fixed in 4.8.0 and 3.10.18.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-266", description: "CWE-266: Incorrect Privilege Assignment", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-31T15:08:20.942Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-5q9w-f4wh-f535", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-5q9w-f4wh-f535", }, ], source: { advisory: "GHSA-5q9w-f4wh-f535", discovery: "UNKNOWN", }, title: "JumpServer has a Kubernetes Token Leak Vulnerability", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2025-27095", datePublished: "2025-03-31T15:08:20.942Z", dateReserved: "2025-02-18T16:44:48.764Z", dateUpdated: "2025-03-31T18:53:50.455Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-29202
Vulnerability from cvelistv5
Published
2024-03-29 14:57
Modified
2025-03-25 19:57
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch | x_refsource_CONFIRM | |
| https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 3.0.0, <= 3.10.6 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:fit2cloud:jumpserver:3.0.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jumpserver", vendor: "fit2cloud", versions: [ { lessThanOrEqual: "3.10.6", status: "affected", version: "3.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-29202", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-03-29T15:37:01.900006Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-20T18:02:30.181Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T01:10:54.515Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 3.0.0, <= 3.10.6", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 10, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94: Improper Control of Generation of Code ('Code Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-25T19:57:03.512Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch", }, { name: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2", tags: [ "x_refsource_MISC", ], url: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2", }, ], source: { advisory: "GHSA-2vvr-vmvx-73ch", discovery: "UNKNOWN", }, title: "JumpServer vulnerable to Jinja2 template injection in Ansible leads to RCE in Celery", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-29202", datePublished: "2024-03-29T14:57:43.606Z", dateReserved: "2024-03-18T17:07:00.096Z", dateUpdated: "2025-03-25T19:57:03.512Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-42818
Vulnerability from cvelistv5
Published
2023-09-27 20:28
Modified
2025-03-25 19:28
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication against the SSH service This issue has been patched in versions 3.6.5 and 3.5.6. Users are advised to upgrade. There are no known workarounds for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-jv3c-27cv-w8jv | x_refsource_CONFIRM | |
| https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 3.6.0, < 3.6.5 Version: < 3.5.6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T19:30:24.806Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-jv3c-27cv-w8jv", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-jv3c-27cv-w8jv", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jumpserver", vendor: "jumpserver", versions: [ { lessThan: "3.6.5", status: "affected", version: "3.6.0", versionType: "custom", }, { lessThan: "3.5.6", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-42818", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-23T18:52:26.646507Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-23T19:02:05.186Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 3.6.0, < 3.6.5", }, { status: "affected", version: "< 3.5.6", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication against the SSH service This issue has been patched in versions 3.6.5 and 3.5.6. Users are advised to upgrade. There are no known workarounds for this issue.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287: Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-25T19:28:32.560Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-jv3c-27cv-w8jv", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-jv3c-27cv-w8jv", }, { name: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2", tags: [ "x_refsource_MISC", ], url: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2", }, ], source: { advisory: "GHSA-jv3c-27cv-w8jv", discovery: "UNKNOWN", }, title: "SSH public key login without private key challenge if mfa is enabled in jumpserver", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-42818", datePublished: "2023-09-27T20:28:30.507Z", dateReserved: "2023-09-14T16:13:33.309Z", dateUpdated: "2025-03-25T19:28:32.560Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-29024
Vulnerability from cvelistv5
Published
2024-03-29 14:45
Modified
2024-08-02 01:03
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system.
An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability in the file manager's bulk transfer by manipulating job IDs to upload malicious files, potentially compromising the integrity and security of the system. This vulnerability is fixed in v3.10.6.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 3.0.0, <= 3.10.5 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:fit2cloud:jumpserver:3.0.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jumpserver", vendor: "fit2cloud", versions: [ { lessThanOrEqual: "3.10.5", status: "affected", version: "3.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-29024", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-03-29T15:40:52.736769Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-20T18:03:16.461Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T01:03:51.546Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 3.0.0, <= 3.10.5", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host and an operation and maintenance security audit system.\nAn authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability in the file manager's bulk transfer by manipulating job IDs to upload malicious files, potentially compromising the integrity and security of the system. This vulnerability is fixed in v3.10.6.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.6, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-639", description: "CWE-639: Authorization Bypass Through User-Controlled Key", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-03-29T14:45:56.377Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q", }, ], source: { advisory: "GHSA-8wqm-rfc7-q27q", discovery: "UNKNOWN", }, title: "JumpServer Direct Object Reference (IDOR) Vulnerability in File Manager Bulk Transfer Functionality", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-29024", datePublished: "2024-03-29T14:45:56.377Z", dateReserved: "2024-03-14T16:59:47.611Z", dateUpdated: "2024-08-02T01:03:51.546Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-28110
Vulnerability from cvelistv5
Published
2023-03-16 16:18
Modified
2025-02-25 14:55
Severity ?
EPSS score ?
Summary
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6x5p-jm59-jh29 | x_refsource_CONFIRM | |
| https://github.com/jumpserver/jumpserver/releases/tag/v2.28.8 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: < 2.28.8 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T12:30:24.220Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6x5p-jm59-jh29", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6x5p-jm59-jh29", }, { name: "https://github.com/jumpserver/jumpserver/releases/tag/v2.28.8", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/releases/tag/v2.28.8", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-28110", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-25T14:29:21.172517Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-25T14:55:29.601Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: "< 2.28.8", }, ], }, ], descriptions: [ { lang: "en", value: "Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.7, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-77", description: "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-03-16T16:18:49.977Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6x5p-jm59-jh29", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6x5p-jm59-jh29", }, { name: "https://github.com/jumpserver/jumpserver/releases/tag/v2.28.8", tags: [ "x_refsource_MISC", ], url: "https://github.com/jumpserver/jumpserver/releases/tag/v2.28.8", }, ], source: { advisory: "GHSA-6x5p-jm59-jh29", discovery: "UNKNOWN", }, title: "JumpServer Koko vulnerable to Command Injection for Kubernetes Connection ", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-28110", datePublished: "2023-03-16T16:18:49.977Z", dateReserved: "2023-03-10T18:34:29.227Z", dateUpdated: "2025-02-25T14:55:29.601Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40628
Vulnerability from cvelistv5
Published
2024-07-18 17:05
Modified
2025-03-25 19:58
Severity ?
EPSS score ?
Summary
JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the ansible playbook to read arbitrary files in the celery container, leading to sensitive information disclosure. The Celery container runs as root and has database access, allowing the attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been addressed in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There is no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9 | x_refsource_CONFIRM | |
| https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 3.0.0, < 3.10.12 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jumpserver", vendor: "jumpserver", versions: [ { lessThan: "3.10.12", status: "affected", version: "3.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-40628", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-19T14:30:25.764435Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-13T20:47:59.072Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T04:33:11.849Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 3.0.0, < 3.10.12", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the ansible playbook to read arbitrary files in the celery container, leading to sensitive information disclosure. The Celery container runs as root and has database access, allowing the attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been addressed in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There is no known workarounds for this vulnerability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 10, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-25T19:58:34.928Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9", }, { name: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2", tags: [ "x_refsource_MISC", ], url: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2", }, ], source: { advisory: "GHSA-rpf7-g4xh-84v9", discovery: "UNKNOWN", }, title: "Arbitrary File Read in Ansible Playbooks in Jumpserver", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-40628", datePublished: "2024-07-18T17:05:21.662Z", dateReserved: "2024-07-08T16:13:15.510Z", dateUpdated: "2025-03-25T19:58:34.928Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-3169
Vulnerability from cvelistv5
Published
2021-07-23 00:00
Modified
2024-08-03 16:45
Severity ?
EPSS score ?
Summary
An issue in Jumpserver before 2.6.2, before 2.5.4, before 2.4.5 allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T16:45:51.391Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://mp.weixin.qq.com/s/5tgcaIrnDnGP-LvWPw9YCg", }, { tags: [ "x_transferred", ], url: "https://s.tencent.com/research/bsafe/1228.html", }, { tags: [ "x_transferred", ], url: "https://blog.fit2cloud.com/?p=1764", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "An issue in Jumpserver before 2.6.2, before 2.5.4, before 2.4.5 allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-29T21:37:12.042679", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://mp.weixin.qq.com/s/5tgcaIrnDnGP-LvWPw9YCg", }, { url: "https://s.tencent.com/research/bsafe/1228.html", }, { url: "https://blog.fit2cloud.com/?p=1764", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-3169", datePublished: "2021-07-23T00:00:00", dateReserved: "2021-01-18T00:00:00", dateUpdated: "2024-08-03T16:45:51.391Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-42442
Vulnerability from cvelistv5
Published
2023-09-15 20:29
Modified
2024-09-25 17:27
Severity ?
EPSS score ?
Summary
JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Version: >= 3.0.0, < 3.5.5 Version: >= 3.6.0, < 3.6.4 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T19:23:38.532Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-633x-3f4f-v9rw", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-633x-3f4f-v9rw", }, { name: "https://github.com/jumpserver/jumpserver/commit/0a58bba59cd275bab8e0ae58bf4b359fbc5eb74a", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/commit/0a58bba59cd275bab8e0ae58bf4b359fbc5eb74a", }, { name: "https://github.com/jumpserver/jumpserver/blob/v3.6.1/apps/terminal/api/session/session.py#L91", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/jumpserver/jumpserver/blob/v3.6.1/apps/terminal/api/session/session.py#L91", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-42442", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-25T17:27:44.770015Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-25T17:27:54.293Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "jumpserver", vendor: "jumpserver", versions: [ { status: "affected", version: ">= 3.0.0, < 3.5.5", }, { status: "affected", version: ">= 3.6.0, < 3.6.4", }, ], }, ], descriptions: [ { lang: "en", value: "JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287: Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-15T20:29:12.166Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-633x-3f4f-v9rw", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-633x-3f4f-v9rw", }, { name: "https://github.com/jumpserver/jumpserver/commit/0a58bba59cd275bab8e0ae58bf4b359fbc5eb74a", tags: [ "x_refsource_MISC", ], url: "https://github.com/jumpserver/jumpserver/commit/0a58bba59cd275bab8e0ae58bf4b359fbc5eb74a", }, { name: "https://github.com/jumpserver/jumpserver/blob/v3.6.1/apps/terminal/api/session/session.py#L91", tags: [ "x_refsource_MISC", ], url: "https://github.com/jumpserver/jumpserver/blob/v3.6.1/apps/terminal/api/session/session.py#L91", }, ], source: { advisory: "GHSA-633x-3f4f-v9rw", discovery: "UNKNOWN", }, title: "JumpServer session replays download without authentication", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-42442", datePublished: "2023-09-15T20:29:12.166Z", dateReserved: "2023-09-08T20:57:45.572Z", dateUpdated: "2024-09-25T17:27:54.293Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2021-07-23 21:15
Modified
2024-11-21 06:21
Severity ?
Summary
An issue in Jumpserver before 2.6.2, before 2.5.4, before 2.4.5 allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.fit2cloud.com/?p=1764 | Third Party Advisory | |
| cve@mitre.org | https://mp.weixin.qq.com/s/5tgcaIrnDnGP-LvWPw9YCg | Third Party Advisory | |
| cve@mitre.org | https://s.tencent.com/research/bsafe/1228.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.fit2cloud.com/?p=1764 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mp.weixin.qq.com/s/5tgcaIrnDnGP-LvWPw9YCg | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://s.tencent.com/research/bsafe/1228.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jumpserver | jumpserver | * | |
| jumpserver | jumpserver | * | |
| jumpserver | jumpserver | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*", matchCriteriaId: "687DD45D-6DA6-48F6-BB28-332E257F0816", versionEndExcluding: "2.4.5", versionStartIncluding: "2.4.0", vulnerable: true, }, { criteria: "cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*", matchCriteriaId: "FC90E3CD-C460-48C9-B8A0-AE178BF1ADDE", versionEndExcluding: "2.5.4", versionStartIncluding: "2.5.0", vulnerable: true, }, { criteria: "cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*", matchCriteriaId: "BA611799-E428-4FEA-83A2-D447659BA1D2", versionEndExcluding: "2.6.2", versionStartIncluding: "2.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An issue in Jumpserver before 2.6.2, before 2.5.4, before 2.4.5 allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.", }, { lang: "es", value: "Un problema en Jumpserver versiones 2.6.2 e inferiores, permite a atacantes crear un token de conexión mediante una API que no presenta control de acceso y usarlo para acceder a activos confidenciales", }, ], id: "CVE-2021-3169", lastModified: "2024-11-21T06:21:03.100", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-07-23T21:15:07.437", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://blog.fit2cloud.com/?p=1764", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://mp.weixin.qq.com/s/5tgcaIrnDnGP-LvWPw9YCg", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://s.tencent.com/research/bsafe/1228.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://blog.fit2cloud.com/?p=1764", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://mp.weixin.qq.com/s/5tgcaIrnDnGP-LvWPw9YCg", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://s.tencent.com/research/bsafe/1228.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-74", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }