Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
48 vulnerabilities found for jumpserver by fit2cloud
CVE-2026-31864 (GCVE-0-2026-31864)
Vulnerability from nvd – Published: 2026-03-13 19:22 – Updated: 2026-03-13 19:44
VLAI?
Title
JumpServer has a Server-Side Template Injection Leading to RCE via YAML Rendering
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. a Server-Side Template Injection (SSTI) vulnerability exists in JumpServer's Applet and VirtualApp upload functionality. This vulnerability can only be exploited by users with administrative privileges (Application Applet Management or Virtual Application Management permissions). Attackers can exploit this vulnerability to execute arbitrary code within the JumpServer Core container. The vulnerability arises from unsafe use of Jinja2 template rendering when processing user-uploaded YAML configuration files. When a user uploads an Applet or VirtualApp ZIP package, the manifest.yml file is rendered through Jinja2 without sandbox restrictions, allowing template injection attacks.
Severity ?
6.8 (Medium)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 3.10.22
Affected: >= 4.0.0, < 4.10.16 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T19:44:43.290795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T19:44:51.850Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.10.22"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.10.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. a Server-Side Template Injection (SSTI) vulnerability exists in JumpServer\u0027s Applet and VirtualApp upload functionality. This vulnerability can only be exploited by users with administrative privileges (Application Applet Management or Virtual Application Management permissions). Attackers can exploit this vulnerability to execute arbitrary code within the JumpServer Core container. The vulnerability arises from unsafe use of Jinja2 template rendering when processing user-uploaded YAML configuration files. When a user uploads an Applet or VirtualApp ZIP package, the manifest.yml file is rendered through Jinja2 without sandbox restrictions, allowing template injection attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T19:22:05.168Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-qx8h-rx2j-j5wc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-qx8h-rx2j-j5wc"
},
{
"name": "https://github.com/jumpserver/jumpserver/pull/16608",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jumpserver/jumpserver/pull/16608"
}
],
"source": {
"advisory": "GHSA-qx8h-rx2j-j5wc",
"discovery": "UNKNOWN"
},
"title": "JumpServer has a Server-Side Template Injection Leading to RCE via YAML Rendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31864",
"datePublished": "2026-03-13T19:22:05.168Z",
"dateReserved": "2026-03-09T19:02:25.013Z",
"dateUpdated": "2026-03-13T19:44:51.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31798 (GCVE-0-2026-31798)
Vulnerability from nvd – Published: 2026-03-13 19:15 – Updated: 2026-03-13 19:38
VLAI?
Title
JumpServer Improper Certificate Validation in Custom SMS API Client
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and capture the verification code BEFORE it reaches the user's phone. This vulnerability is fixed in v4.10.16-lts.
Severity ?
5 (Medium)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 4.10.16-lts
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31798",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T19:38:25.725504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T19:38:35.576Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 4.10.16-lts"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and capture the verification code BEFORE it reaches the user\u0027s phone. This vulnerability is fixed in v4.10.16-lts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T19:15:26.081Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-26pj-mmxw-w3w7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-26pj-mmxw-w3w7"
}
],
"source": {
"advisory": "GHSA-26pj-mmxw-w3w7",
"discovery": "UNKNOWN"
},
"title": "JumpServer Improper Certificate Validation in Custom SMS API Client"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31798",
"datePublished": "2026-03-13T19:15:26.081Z",
"dateReserved": "2026-03-09T16:33:42.912Z",
"dateUpdated": "2026-03-13T19:38:35.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58044 (GCVE-0-2025-58044)
Vulnerability from nvd – Published: 2025-12-01 20:17 – Updated: 2025-12-01 20:33
VLAI?
Title
JumpServer has an Open Redirect Vulnerability
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability. This vulnerability is fixed in v3.10.19 and v4.10.5.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 3.10.19
Affected: >= 4.0.0, < 4.10.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58044",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T20:33:23.179224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T20:33:33.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.10.19"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.10.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability. This vulnerability is fixed in v3.10.19 and v4.10.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T20:17:44.222Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-h762-mj7p-jwjq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-h762-mj7p-jwjq"
},
{
"name": "https://github.com/jumpserver/jumpserver/commit/36ae076cb021f16d2053a63651bc16d15a3ed53b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jumpserver/jumpserver/commit/36ae076cb021f16d2053a63651bc16d15a3ed53b"
}
],
"source": {
"advisory": "GHSA-h762-mj7p-jwjq",
"discovery": "UNKNOWN"
},
"title": "JumpServer has an Open Redirect Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58044",
"datePublished": "2025-12-01T20:17:44.222Z",
"dateReserved": "2025-08-22T14:30:32.220Z",
"dateUpdated": "2025-12-01T20:33:33.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62795 (GCVE-0-2025-62795)
Vulnerability from nvd – Published: 2025-10-30 16:56 – Updated: 2025-10-31 18:37
VLAI?
Title
JumpServer Unauthorized LDAP Configuration Access via WebSocket
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts.
Severity ?
7.1 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 3.10.21-lts
Affected: >= 4.0.0, < 4.10.12-lts |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62795",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T18:37:38.995822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T18:37:42.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.10.21-lts"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.10.12-lts"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T16:56:09.321Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822"
}
],
"source": {
"advisory": "GHSA-7893-256g-m822",
"discovery": "UNKNOWN"
},
"title": "JumpServer Unauthorized LDAP Configuration Access via WebSocket"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62795",
"datePublished": "2025-10-30T16:56:09.321Z",
"dateReserved": "2025-10-22T18:55:48.011Z",
"dateUpdated": "2025-10-31T18:37:42.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62712 (GCVE-0-2025-62712)
Vulnerability from nvd – Published: 2025-10-30 16:08 – Updated: 2025-10-31 17:42
VLAI?
Title
JumpServer Connection Token Leak Vulnerability
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.
Severity ?
9.6 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 4.0.0, < 4.10.11-lts
Affected: < 3.10.20-lts |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T17:42:29.377455Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T17:42:40.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.10.11-lts"
},
{
"status": "affected",
"version": "\u003c 3.10.20-lts"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T16:08:32.669Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6ghx-6vpv-3wg7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6ghx-6vpv-3wg7"
},
{
"name": "https://github.com/jumpserver/jumpserver/commit/453ad331eec9d9667a38de735d6612608e558491",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jumpserver/jumpserver/commit/453ad331eec9d9667a38de735d6612608e558491"
}
],
"source": {
"advisory": "GHSA-6ghx-6vpv-3wg7",
"discovery": "UNKNOWN"
},
"title": "JumpServer Connection Token Leak Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62712",
"datePublished": "2025-10-30T16:08:32.669Z",
"dateReserved": "2025-10-20T19:41:22.740Z",
"dateUpdated": "2025-10-31T17:42:40.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27095 (GCVE-0-2025-27095)
Vulnerability from nvd – Published: 2025-03-31 15:08 – Updated: 2025-03-31 18:53
VLAI?
Title
JumpServer has a Kubernetes Token Leak Vulnerability
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to 4.8.0 and 3.10.18, an attacker with a low-privileged account can access the Kubernetes session feature and manipulate the kubeconfig file to redirect API requests to an external server controlled by the attacker. This allows the attacker to intercept and capture the Kubernetes cluster token. This can potentially allow unauthorized access to the cluster and compromise its security. This vulnerability is fixed in 4.8.0 and 3.10.18.
Severity ?
4.3 (Medium)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 3.10.18
Affected: >= 4.0.0, < 4.8.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27095",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T16:29:58.766715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T18:53:50.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.10.18"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to 4.8.0 and 3.10.18, an attacker with a low-privileged account can access the Kubernetes session feature and manipulate the kubeconfig file to redirect API requests to an external server controlled by the attacker. This allows the attacker to intercept and capture the Kubernetes cluster token. This can potentially allow unauthorized access to the cluster and compromise its security. This vulnerability is fixed in 4.8.0 and 3.10.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T15:08:20.942Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-5q9w-f4wh-f535",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-5q9w-f4wh-f535"
}
],
"source": {
"advisory": "GHSA-5q9w-f4wh-f535",
"discovery": "UNKNOWN"
},
"title": "JumpServer has a Kubernetes Token Leak Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27095",
"datePublished": "2025-03-31T15:08:20.942Z",
"dateReserved": "2025-02-18T16:44:48.764Z",
"dateUpdated": "2025-03-31T18:53:50.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40629 (GCVE-0-2024-40629)
Vulnerability from nvd – Published: 2024-07-18 17:04 – Updated: 2025-03-25 19:59
VLAI?
Title
Arbitrary File Write in Ansible Playbooks leads to RCE in Jumpserver
Summary
JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the Ansible playbook to write arbitrary files, leading to remote code execution (RCE) in the Celery container. The Celery container runs as root and has database access, allowing an attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been patched in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There are no known workarounds for this vulnerability.
Severity ?
10 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 3.0.0, < 3.10.12
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"lessThan": "3.10.12",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40629",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T18:35:30.424372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T18:40:01.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.10.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the Ansible playbook to write arbitrary files, leading to remote code execution (RCE) in the Celery container. The Celery container runs as root and has database access, allowing an attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been patched in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T19:59:14.014Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v"
},
{
"name": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2"
}
],
"source": {
"advisory": "GHSA-3wgp-q8m7-v33v",
"discovery": "UNKNOWN"
},
"title": "Arbitrary File Write in Ansible Playbooks leads to RCE in Jumpserver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40629",
"datePublished": "2024-07-18T17:04:10.251Z",
"dateReserved": "2024-07-08T16:13:15.510Z",
"dateUpdated": "2025-03-25T19:59:14.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40628 (GCVE-0-2024-40628)
Vulnerability from nvd – Published: 2024-07-18 17:05 – Updated: 2025-03-25 19:58
VLAI?
Title
Arbitrary File Read in Ansible Playbooks in Jumpserver
Summary
JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the ansible playbook to read arbitrary files in the celery container, leading to sensitive information disclosure. The Celery container runs as root and has database access, allowing the attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been addressed in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There is no known workarounds for this vulnerability.
Severity ?
10 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 3.0.0, < 3.10.12
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"lessThan": "3.10.12",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40628",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T14:30:25.764435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T20:47:59.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.849Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.10.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the ansible playbook to read arbitrary files in the celery container, leading to sensitive information disclosure. The Celery container runs as root and has database access, allowing the attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been addressed in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There is no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T19:58:34.928Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9"
},
{
"name": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2"
}
],
"source": {
"advisory": "GHSA-rpf7-g4xh-84v9",
"discovery": "UNKNOWN"
},
"title": "Arbitrary File Read in Ansible Playbooks in Jumpserver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40628",
"datePublished": "2024-07-18T17:05:21.662Z",
"dateReserved": "2024-07-08T16:13:15.510Z",
"dateUpdated": "2025-03-25T19:58:34.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29202 (GCVE-0-2024-29202)
Vulnerability from nvd – Published: 2024-03-29 14:57 – Updated: 2025-03-25 19:57
VLAI?
Title
JumpServer vulnerable to Jinja2 template injection in Ansible leads to RCE in Celery
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.
Severity ?
10 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 3.0.0, <= 3.10.6
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fit2cloud:jumpserver:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jumpserver",
"vendor": "fit2cloud",
"versions": [
{
"lessThanOrEqual": "3.10.6",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29202",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-29T15:37:01.900006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T18:02:30.181Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.515Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.10.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer\u0027s Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T19:57:03.512Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch"
},
{
"name": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2"
}
],
"source": {
"advisory": "GHSA-2vvr-vmvx-73ch",
"discovery": "UNKNOWN"
},
"title": "JumpServer vulnerable to Jinja2 template injection in Ansible leads to RCE in Celery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29202",
"datePublished": "2024-03-29T14:57:43.606Z",
"dateReserved": "2024-03-18T17:07:00.096Z",
"dateUpdated": "2025-03-25T19:57:03.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29201 (GCVE-0-2024-29201)
Vulnerability from nvd – Published: 2024-03-29 14:57 – Updated: 2025-03-25 19:38
VLAI?
Title
JumpServer's insecure Ansible playbook validation leads to RCE in Celery
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can bypass the input validation mechanism in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.
Severity ?
10 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 3.0.0, <= 3.10.6
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fit2cloud:jumpserver:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jumpserver",
"vendor": "fit2cloud",
"versions": [
{
"lessThanOrEqual": "3.10.6",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29201",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-29T15:37:01.900006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T18:04:08.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.10.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can bypass the input validation mechanism in JumpServer\u0027s Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T19:38:50.208Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj"
},
{
"name": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2"
}
],
"source": {
"advisory": "GHSA-pjpp-cm9x-6rwj",
"discovery": "UNKNOWN"
},
"title": "JumpServer\u0027s insecure Ansible playbook validation leads to RCE in Celery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29201",
"datePublished": "2024-03-29T14:57:40.323Z",
"dateReserved": "2024-03-18T17:07:00.096Z",
"dateUpdated": "2025-03-25T19:38:50.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29024 (GCVE-0-2024-29024)
Vulnerability from nvd – Published: 2024-03-29 14:45 – Updated: 2024-08-02 01:03
VLAI?
Title
JumpServer Direct Object Reference (IDOR) Vulnerability in File Manager Bulk Transfer Functionality
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system.
An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability in the file manager's bulk transfer by manipulating job IDs to upload malicious files, potentially compromising the integrity and security of the system. This vulnerability is fixed in v3.10.6.
Severity ?
4.6 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 3.0.0, <= 3.10.5
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fit2cloud:jumpserver:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jumpserver",
"vendor": "fit2cloud",
"versions": [
{
"lessThanOrEqual": "3.10.5",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29024",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-29T15:40:52.736769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T18:03:16.461Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.10.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system.\nAn authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability in the file manager\u0027s bulk transfer by manipulating job IDs to upload malicious files, potentially compromising the integrity and security of the system. This vulnerability is fixed in v3.10.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-29T14:45:56.377Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q"
}
],
"source": {
"advisory": "GHSA-8wqm-rfc7-q27q",
"discovery": "UNKNOWN"
},
"title": "JumpServer Direct Object Reference (IDOR) Vulnerability in File Manager Bulk Transfer Functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29024",
"datePublished": "2024-03-29T14:45:56.377Z",
"dateReserved": "2024-03-14T16:59:47.611Z",
"dateUpdated": "2024-08-02T01:03:51.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29020 (GCVE-0-2024-29020)
Vulnerability from nvd – Published: 2024-03-29 14:46 – Updated: 2024-08-02 01:03
VLAI?
Title
JumpServer allows nn authorized attacker to get sensitive information in playbook files when playbook_id is leaked
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. An authorized attacker can obtain sensitive information contained within playbook files if they manage to learn the playbook_id of another user. This breach of confidentiality can lead to information disclosure and exposing sensitive data. This vulnerability is fixed in v3.10.6.
Severity ?
4.6 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 3.0.0, <= 3.10.5
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fit2cloud:jumpserver:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jumpserver",
"vendor": "fit2cloud",
"versions": [
{
"lessThanOrEqual": "3.10.5",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-29T17:56:16.136001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T18:06:37.056Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.10.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. An authorized attacker can obtain sensitive information contained within playbook files if they manage to learn the playbook_id of another user. This breach of confidentiality can lead to information disclosure and exposing sensitive data. This vulnerability is fixed in v3.10.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-29T14:46:00.417Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62"
}
],
"source": {
"advisory": "GHSA-7mqc-23hr-cr62",
"discovery": "UNKNOWN"
},
"title": "JumpServer allows nn authorized attacker to get sensitive information in playbook files when playbook_id is leaked"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29020",
"datePublished": "2024-03-29T14:46:00.417Z",
"dateReserved": "2024-03-14T16:59:47.610Z",
"dateUpdated": "2024-08-02T01:03:51.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24763 (GCVE-0-2024-24763)
Vulnerability from nvd – Published: 2024-02-20 17:35 – Updated: 2024-08-01 23:28
VLAI?
Title
JumpServer Open Redirect Vulnerability
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to version 3.10.0, attackers can exploit this vulnerability to construct malicious links, leading users to click on them, thereby facilitating phishing attacks or cross-site scripting attacks. Version 3.10.0 contains a patch for this issue. No known workarounds are available.
Severity ?
4.3 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 3.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24763",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T16:48:50.372212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:43:21.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:11.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5"
},
{
"name": "https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to version 3.10.0, attackers can exploit this vulnerability to construct malicious links, leading users to click on them, thereby facilitating phishing attacks or cross-site scripting attacks. Version 3.10.0 contains a patch for this issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T17:35:08.825Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5"
},
{
"name": "https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0"
}
],
"source": {
"advisory": "GHSA-p2mq-cm25-g4m5",
"discovery": "UNKNOWN"
},
"title": "JumpServer Open Redirect Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24763",
"datePublished": "2024-02-20T17:35:08.825Z",
"dateReserved": "2024-01-29T20:51:26.011Z",
"dateUpdated": "2024-08-01T23:28:11.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-48193 (GCVE-0-2023-48193)
Vulnerability from nvd – Published: 2023-11-28 00:00 – Updated: 2024-08-02 21:23 Disputed
VLAI?
Summary
Insecure Permissions vulnerability in JumpServer GPLv3 v.3.8.0 allows a remote attacker to execute arbitrary code via bypassing the command filtering function. NOTE: this is disputed because command filtering is not intended to restrict what code can be run by authorized users who are allowed to execute files.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:23:39.268Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver"
},
{
"tags": [
"x_transferred"
],
"url": "http://jumpserver.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/296430468/lcc_test/blob/main/jumpserver_BUG.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.fit2cloud.com/?p=8cf83cd9-c23b-4625-9350-38926fb7f88e"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/issues/13394"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insecure Permissions vulnerability in JumpServer GPLv3 v.3.8.0 allows a remote attacker to execute arbitrary code via bypassing the command filtering function. NOTE: this is disputed because command filtering is not intended to restrict what code can be run by authorized users who are allowed to execute files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T11:42:49.340Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/jumpserver/jumpserver"
},
{
"url": "http://jumpserver.com"
},
{
"url": "https://github.com/296430468/lcc_test/blob/main/jumpserver_BUG.md"
},
{
"url": "https://blog.fit2cloud.com/?p=8cf83cd9-c23b-4625-9350-38926fb7f88e"
},
{
"url": "https://github.com/jumpserver/jumpserver/issues/13394"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-48193",
"datePublished": "2023-11-28T00:00:00.000Z",
"dateReserved": "2023-11-13T00:00:00.000Z",
"dateUpdated": "2024-08-02T21:23:39.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46138 (GCVE-0-2023-46138)
Vulnerability from nvd – Published: 2023-10-30 23:53 – Updated: 2024-09-05 20:17
VLAI?
Title
JumpServer default admin user email leak password reset
Summary
JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is `admin[@]mycompany[.]com`, and users reset their passwords by sending an email. Currently, the domain `mycompany.com` has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to `example.com`. Those who cannot upgrade may change the default email domain to `example.com` manually.
Severity ?
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 3.8.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.378Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq"
},
{
"name": "https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46138",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T20:17:08.084202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T20:17:16.984Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is `admin[@]mycompany[.]com`, and users reset their passwords by sending an email. Currently, the domain `mycompany.com` has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to `example.com`. Those who cannot upgrade may change the default email domain to `example.com` manually."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-30T23:53:15.101Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq"
},
{
"name": "https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88"
}
],
"source": {
"advisory": "GHSA-9mrc-75cv-46cq",
"discovery": "UNKNOWN"
},
"title": "JumpServer default admin user email leak password reset"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46138",
"datePublished": "2023-10-30T23:53:15.101Z",
"dateReserved": "2023-10-16T17:51:35.574Z",
"dateUpdated": "2024-09-05T20:17:16.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-31864 (GCVE-0-2026-31864)
Vulnerability from cvelistv5 – Published: 2026-03-13 19:22 – Updated: 2026-03-13 19:44
VLAI?
Title
JumpServer has a Server-Side Template Injection Leading to RCE via YAML Rendering
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. a Server-Side Template Injection (SSTI) vulnerability exists in JumpServer's Applet and VirtualApp upload functionality. This vulnerability can only be exploited by users with administrative privileges (Application Applet Management or Virtual Application Management permissions). Attackers can exploit this vulnerability to execute arbitrary code within the JumpServer Core container. The vulnerability arises from unsafe use of Jinja2 template rendering when processing user-uploaded YAML configuration files. When a user uploads an Applet or VirtualApp ZIP package, the manifest.yml file is rendered through Jinja2 without sandbox restrictions, allowing template injection attacks.
Severity ?
6.8 (Medium)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 3.10.22
Affected: >= 4.0.0, < 4.10.16 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T19:44:43.290795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T19:44:51.850Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.10.22"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.10.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. a Server-Side Template Injection (SSTI) vulnerability exists in JumpServer\u0027s Applet and VirtualApp upload functionality. This vulnerability can only be exploited by users with administrative privileges (Application Applet Management or Virtual Application Management permissions). Attackers can exploit this vulnerability to execute arbitrary code within the JumpServer Core container. The vulnerability arises from unsafe use of Jinja2 template rendering when processing user-uploaded YAML configuration files. When a user uploads an Applet or VirtualApp ZIP package, the manifest.yml file is rendered through Jinja2 without sandbox restrictions, allowing template injection attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T19:22:05.168Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-qx8h-rx2j-j5wc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-qx8h-rx2j-j5wc"
},
{
"name": "https://github.com/jumpserver/jumpserver/pull/16608",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jumpserver/jumpserver/pull/16608"
}
],
"source": {
"advisory": "GHSA-qx8h-rx2j-j5wc",
"discovery": "UNKNOWN"
},
"title": "JumpServer has a Server-Side Template Injection Leading to RCE via YAML Rendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31864",
"datePublished": "2026-03-13T19:22:05.168Z",
"dateReserved": "2026-03-09T19:02:25.013Z",
"dateUpdated": "2026-03-13T19:44:51.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31798 (GCVE-0-2026-31798)
Vulnerability from cvelistv5 – Published: 2026-03-13 19:15 – Updated: 2026-03-13 19:38
VLAI?
Title
JumpServer Improper Certificate Validation in Custom SMS API Client
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and capture the verification code BEFORE it reaches the user's phone. This vulnerability is fixed in v4.10.16-lts.
Severity ?
5 (Medium)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 4.10.16-lts
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31798",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T19:38:25.725504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T19:38:35.576Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 4.10.16-lts"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and capture the verification code BEFORE it reaches the user\u0027s phone. This vulnerability is fixed in v4.10.16-lts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T19:15:26.081Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-26pj-mmxw-w3w7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-26pj-mmxw-w3w7"
}
],
"source": {
"advisory": "GHSA-26pj-mmxw-w3w7",
"discovery": "UNKNOWN"
},
"title": "JumpServer Improper Certificate Validation in Custom SMS API Client"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31798",
"datePublished": "2026-03-13T19:15:26.081Z",
"dateReserved": "2026-03-09T16:33:42.912Z",
"dateUpdated": "2026-03-13T19:38:35.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58044 (GCVE-0-2025-58044)
Vulnerability from cvelistv5 – Published: 2025-12-01 20:17 – Updated: 2025-12-01 20:33
VLAI?
Title
JumpServer has an Open Redirect Vulnerability
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability. This vulnerability is fixed in v3.10.19 and v4.10.5.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 3.10.19
Affected: >= 4.0.0, < 4.10.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58044",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T20:33:23.179224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T20:33:33.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.10.19"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.10.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability. This vulnerability is fixed in v3.10.19 and v4.10.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T20:17:44.222Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-h762-mj7p-jwjq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-h762-mj7p-jwjq"
},
{
"name": "https://github.com/jumpserver/jumpserver/commit/36ae076cb021f16d2053a63651bc16d15a3ed53b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jumpserver/jumpserver/commit/36ae076cb021f16d2053a63651bc16d15a3ed53b"
}
],
"source": {
"advisory": "GHSA-h762-mj7p-jwjq",
"discovery": "UNKNOWN"
},
"title": "JumpServer has an Open Redirect Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58044",
"datePublished": "2025-12-01T20:17:44.222Z",
"dateReserved": "2025-08-22T14:30:32.220Z",
"dateUpdated": "2025-12-01T20:33:33.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62795 (GCVE-0-2025-62795)
Vulnerability from cvelistv5 – Published: 2025-10-30 16:56 – Updated: 2025-10-31 18:37
VLAI?
Title
JumpServer Unauthorized LDAP Configuration Access via WebSocket
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts.
Severity ?
7.1 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 3.10.21-lts
Affected: >= 4.0.0, < 4.10.12-lts |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62795",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T18:37:38.995822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T18:37:42.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.10.21-lts"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.10.12-lts"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T16:56:09.321Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822"
}
],
"source": {
"advisory": "GHSA-7893-256g-m822",
"discovery": "UNKNOWN"
},
"title": "JumpServer Unauthorized LDAP Configuration Access via WebSocket"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62795",
"datePublished": "2025-10-30T16:56:09.321Z",
"dateReserved": "2025-10-22T18:55:48.011Z",
"dateUpdated": "2025-10-31T18:37:42.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62712 (GCVE-0-2025-62712)
Vulnerability from cvelistv5 – Published: 2025-10-30 16:08 – Updated: 2025-10-31 17:42
VLAI?
Title
JumpServer Connection Token Leak Vulnerability
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.
Severity ?
9.6 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 4.0.0, < 4.10.11-lts
Affected: < 3.10.20-lts |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T17:42:29.377455Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T17:42:40.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.10.11-lts"
},
{
"status": "affected",
"version": "\u003c 3.10.20-lts"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T16:08:32.669Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6ghx-6vpv-3wg7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6ghx-6vpv-3wg7"
},
{
"name": "https://github.com/jumpserver/jumpserver/commit/453ad331eec9d9667a38de735d6612608e558491",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jumpserver/jumpserver/commit/453ad331eec9d9667a38de735d6612608e558491"
}
],
"source": {
"advisory": "GHSA-6ghx-6vpv-3wg7",
"discovery": "UNKNOWN"
},
"title": "JumpServer Connection Token Leak Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62712",
"datePublished": "2025-10-30T16:08:32.669Z",
"dateReserved": "2025-10-20T19:41:22.740Z",
"dateUpdated": "2025-10-31T17:42:40.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27095 (GCVE-0-2025-27095)
Vulnerability from cvelistv5 – Published: 2025-03-31 15:08 – Updated: 2025-03-31 18:53
VLAI?
Title
JumpServer has a Kubernetes Token Leak Vulnerability
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to 4.8.0 and 3.10.18, an attacker with a low-privileged account can access the Kubernetes session feature and manipulate the kubeconfig file to redirect API requests to an external server controlled by the attacker. This allows the attacker to intercept and capture the Kubernetes cluster token. This can potentially allow unauthorized access to the cluster and compromise its security. This vulnerability is fixed in 4.8.0 and 3.10.18.
Severity ?
4.3 (Medium)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 3.10.18
Affected: >= 4.0.0, < 4.8.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27095",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T16:29:58.766715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T18:53:50.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.10.18"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to 4.8.0 and 3.10.18, an attacker with a low-privileged account can access the Kubernetes session feature and manipulate the kubeconfig file to redirect API requests to an external server controlled by the attacker. This allows the attacker to intercept and capture the Kubernetes cluster token. This can potentially allow unauthorized access to the cluster and compromise its security. This vulnerability is fixed in 4.8.0 and 3.10.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T15:08:20.942Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-5q9w-f4wh-f535",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-5q9w-f4wh-f535"
}
],
"source": {
"advisory": "GHSA-5q9w-f4wh-f535",
"discovery": "UNKNOWN"
},
"title": "JumpServer has a Kubernetes Token Leak Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27095",
"datePublished": "2025-03-31T15:08:20.942Z",
"dateReserved": "2025-02-18T16:44:48.764Z",
"dateUpdated": "2025-03-31T18:53:50.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40628 (GCVE-0-2024-40628)
Vulnerability from cvelistv5 – Published: 2024-07-18 17:05 – Updated: 2025-03-25 19:58
VLAI?
Title
Arbitrary File Read in Ansible Playbooks in Jumpserver
Summary
JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the ansible playbook to read arbitrary files in the celery container, leading to sensitive information disclosure. The Celery container runs as root and has database access, allowing the attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been addressed in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There is no known workarounds for this vulnerability.
Severity ?
10 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 3.0.0, < 3.10.12
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"lessThan": "3.10.12",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40628",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T14:30:25.764435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T20:47:59.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.849Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.10.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the ansible playbook to read arbitrary files in the celery container, leading to sensitive information disclosure. The Celery container runs as root and has database access, allowing the attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been addressed in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There is no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T19:58:34.928Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9"
},
{
"name": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2"
}
],
"source": {
"advisory": "GHSA-rpf7-g4xh-84v9",
"discovery": "UNKNOWN"
},
"title": "Arbitrary File Read in Ansible Playbooks in Jumpserver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40628",
"datePublished": "2024-07-18T17:05:21.662Z",
"dateReserved": "2024-07-08T16:13:15.510Z",
"dateUpdated": "2025-03-25T19:58:34.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40629 (GCVE-0-2024-40629)
Vulnerability from cvelistv5 – Published: 2024-07-18 17:04 – Updated: 2025-03-25 19:59
VLAI?
Title
Arbitrary File Write in Ansible Playbooks leads to RCE in Jumpserver
Summary
JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the Ansible playbook to write arbitrary files, leading to remote code execution (RCE) in the Celery container. The Celery container runs as root and has database access, allowing an attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been patched in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There are no known workarounds for this vulnerability.
Severity ?
10 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 3.0.0, < 3.10.12
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"lessThan": "3.10.12",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40629",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T18:35:30.424372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T18:40:01.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.10.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the Ansible playbook to write arbitrary files, leading to remote code execution (RCE) in the Celery container. The Celery container runs as root and has database access, allowing an attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been patched in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T19:59:14.014Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v"
},
{
"name": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2"
}
],
"source": {
"advisory": "GHSA-3wgp-q8m7-v33v",
"discovery": "UNKNOWN"
},
"title": "Arbitrary File Write in Ansible Playbooks leads to RCE in Jumpserver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40629",
"datePublished": "2024-07-18T17:04:10.251Z",
"dateReserved": "2024-07-08T16:13:15.510Z",
"dateUpdated": "2025-03-25T19:59:14.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29202 (GCVE-0-2024-29202)
Vulnerability from cvelistv5 – Published: 2024-03-29 14:57 – Updated: 2025-03-25 19:57
VLAI?
Title
JumpServer vulnerable to Jinja2 template injection in Ansible leads to RCE in Celery
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.
Severity ?
10 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 3.0.0, <= 3.10.6
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fit2cloud:jumpserver:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jumpserver",
"vendor": "fit2cloud",
"versions": [
{
"lessThanOrEqual": "3.10.6",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29202",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-29T15:37:01.900006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T18:02:30.181Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.515Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.10.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer\u0027s Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T19:57:03.512Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch"
},
{
"name": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2"
}
],
"source": {
"advisory": "GHSA-2vvr-vmvx-73ch",
"discovery": "UNKNOWN"
},
"title": "JumpServer vulnerable to Jinja2 template injection in Ansible leads to RCE in Celery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29202",
"datePublished": "2024-03-29T14:57:43.606Z",
"dateReserved": "2024-03-18T17:07:00.096Z",
"dateUpdated": "2025-03-25T19:57:03.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29201 (GCVE-0-2024-29201)
Vulnerability from cvelistv5 – Published: 2024-03-29 14:57 – Updated: 2025-03-25 19:38
VLAI?
Title
JumpServer's insecure Ansible playbook validation leads to RCE in Celery
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can bypass the input validation mechanism in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.
Severity ?
10 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 3.0.0, <= 3.10.6
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fit2cloud:jumpserver:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jumpserver",
"vendor": "fit2cloud",
"versions": [
{
"lessThanOrEqual": "3.10.6",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29201",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-29T15:37:01.900006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T18:04:08.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.10.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can bypass the input validation mechanism in JumpServer\u0027s Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T19:38:50.208Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj"
},
{
"name": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2"
}
],
"source": {
"advisory": "GHSA-pjpp-cm9x-6rwj",
"discovery": "UNKNOWN"
},
"title": "JumpServer\u0027s insecure Ansible playbook validation leads to RCE in Celery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29201",
"datePublished": "2024-03-29T14:57:40.323Z",
"dateReserved": "2024-03-18T17:07:00.096Z",
"dateUpdated": "2025-03-25T19:38:50.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29020 (GCVE-0-2024-29020)
Vulnerability from cvelistv5 – Published: 2024-03-29 14:46 – Updated: 2024-08-02 01:03
VLAI?
Title
JumpServer allows nn authorized attacker to get sensitive information in playbook files when playbook_id is leaked
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. An authorized attacker can obtain sensitive information contained within playbook files if they manage to learn the playbook_id of another user. This breach of confidentiality can lead to information disclosure and exposing sensitive data. This vulnerability is fixed in v3.10.6.
Severity ?
4.6 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 3.0.0, <= 3.10.5
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fit2cloud:jumpserver:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jumpserver",
"vendor": "fit2cloud",
"versions": [
{
"lessThanOrEqual": "3.10.5",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-29T17:56:16.136001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T18:06:37.056Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.10.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. An authorized attacker can obtain sensitive information contained within playbook files if they manage to learn the playbook_id of another user. This breach of confidentiality can lead to information disclosure and exposing sensitive data. This vulnerability is fixed in v3.10.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-29T14:46:00.417Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7mqc-23hr-cr62"
}
],
"source": {
"advisory": "GHSA-7mqc-23hr-cr62",
"discovery": "UNKNOWN"
},
"title": "JumpServer allows nn authorized attacker to get sensitive information in playbook files when playbook_id is leaked"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29020",
"datePublished": "2024-03-29T14:46:00.417Z",
"dateReserved": "2024-03-14T16:59:47.610Z",
"dateUpdated": "2024-08-02T01:03:51.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29024 (GCVE-0-2024-29024)
Vulnerability from cvelistv5 – Published: 2024-03-29 14:45 – Updated: 2024-08-02 01:03
VLAI?
Title
JumpServer Direct Object Reference (IDOR) Vulnerability in File Manager Bulk Transfer Functionality
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system.
An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability in the file manager's bulk transfer by manipulating job IDs to upload malicious files, potentially compromising the integrity and security of the system. This vulnerability is fixed in v3.10.6.
Severity ?
4.6 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
>= 3.0.0, <= 3.10.5
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fit2cloud:jumpserver:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jumpserver",
"vendor": "fit2cloud",
"versions": [
{
"lessThanOrEqual": "3.10.5",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29024",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-29T15:40:52.736769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T18:03:16.461Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.10.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system.\nAn authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability in the file manager\u0027s bulk transfer by manipulating job IDs to upload malicious files, potentially compromising the integrity and security of the system. This vulnerability is fixed in v3.10.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-29T14:45:56.377Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-8wqm-rfc7-q27q"
}
],
"source": {
"advisory": "GHSA-8wqm-rfc7-q27q",
"discovery": "UNKNOWN"
},
"title": "JumpServer Direct Object Reference (IDOR) Vulnerability in File Manager Bulk Transfer Functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29024",
"datePublished": "2024-03-29T14:45:56.377Z",
"dateReserved": "2024-03-14T16:59:47.611Z",
"dateUpdated": "2024-08-02T01:03:51.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24763 (GCVE-0-2024-24763)
Vulnerability from cvelistv5 – Published: 2024-02-20 17:35 – Updated: 2024-08-01 23:28
VLAI?
Title
JumpServer Open Redirect Vulnerability
Summary
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to version 3.10.0, attackers can exploit this vulnerability to construct malicious links, leading users to click on them, thereby facilitating phishing attacks or cross-site scripting attacks. Version 3.10.0 contains a patch for this issue. No known workarounds are available.
Severity ?
4.3 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 3.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24763",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T16:48:50.372212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:43:21.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:11.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5"
},
{
"name": "https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to version 3.10.0, attackers can exploit this vulnerability to construct malicious links, leading users to click on them, thereby facilitating phishing attacks or cross-site scripting attacks. Version 3.10.0 contains a patch for this issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T17:35:08.825Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-p2mq-cm25-g4m5"
},
{
"name": "https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jumpserver/jumpserver/releases/tag/v3.10.0"
}
],
"source": {
"advisory": "GHSA-p2mq-cm25-g4m5",
"discovery": "UNKNOWN"
},
"title": "JumpServer Open Redirect Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24763",
"datePublished": "2024-02-20T17:35:08.825Z",
"dateReserved": "2024-01-29T20:51:26.011Z",
"dateUpdated": "2024-08-01T23:28:11.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-48193 (GCVE-0-2023-48193)
Vulnerability from cvelistv5 – Published: 2023-11-28 00:00 – Updated: 2024-08-02 21:23 Disputed
VLAI?
Summary
Insecure Permissions vulnerability in JumpServer GPLv3 v.3.8.0 allows a remote attacker to execute arbitrary code via bypassing the command filtering function. NOTE: this is disputed because command filtering is not intended to restrict what code can be run by authorized users who are allowed to execute files.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:23:39.268Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver"
},
{
"tags": [
"x_transferred"
],
"url": "http://jumpserver.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/296430468/lcc_test/blob/main/jumpserver_BUG.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.fit2cloud.com/?p=8cf83cd9-c23b-4625-9350-38926fb7f88e"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/issues/13394"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insecure Permissions vulnerability in JumpServer GPLv3 v.3.8.0 allows a remote attacker to execute arbitrary code via bypassing the command filtering function. NOTE: this is disputed because command filtering is not intended to restrict what code can be run by authorized users who are allowed to execute files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T11:42:49.340Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/jumpserver/jumpserver"
},
{
"url": "http://jumpserver.com"
},
{
"url": "https://github.com/296430468/lcc_test/blob/main/jumpserver_BUG.md"
},
{
"url": "https://blog.fit2cloud.com/?p=8cf83cd9-c23b-4625-9350-38926fb7f88e"
},
{
"url": "https://github.com/jumpserver/jumpserver/issues/13394"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-48193",
"datePublished": "2023-11-28T00:00:00.000Z",
"dateReserved": "2023-11-13T00:00:00.000Z",
"dateUpdated": "2024-08-02T21:23:39.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46138 (GCVE-0-2023-46138)
Vulnerability from cvelistv5 – Published: 2023-10-30 23:53 – Updated: 2024-09-05 20:17
VLAI?
Title
JumpServer default admin user email leak password reset
Summary
JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is `admin[@]mycompany[.]com`, and users reset their passwords by sending an email. Currently, the domain `mycompany.com` has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to `example.com`. Those who cannot upgrade may change the default email domain to `example.com` manually.
Severity ?
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jumpserver | jumpserver |
Affected:
< 3.8.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.378Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq"
},
{
"name": "https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46138",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T20:17:08.084202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T20:17:16.984Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jumpserver",
"vendor": "jumpserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is `admin[@]mycompany[.]com`, and users reset their passwords by sending an email. Currently, the domain `mycompany.com` has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to `example.com`. Those who cannot upgrade may change the default email domain to `example.com` manually."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-30T23:53:15.101Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq"
},
{
"name": "https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88"
}
],
"source": {
"advisory": "GHSA-9mrc-75cv-46cq",
"discovery": "UNKNOWN"
},
"title": "JumpServer default admin user email leak password reset"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46138",
"datePublished": "2023-10-30T23:53:15.101Z",
"dateReserved": "2023-10-16T17:51:35.574Z",
"dateUpdated": "2024-09-05T20:17:16.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}