CVE-2023-46138

2023-10-3100:15:10

CWE-640

[email protected]

web.nvd.nist.gov

cve-2023-46138

jumpserver

security audit system

4a specifications

unregistered domain

password reset

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is admin[@]mycompany[.]com, and users reset their passwords by sending an email. Currently, the domain mycompany.com has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to example.com. Those who cannot upgrade may change the default email domain to example.com manually.

Affected configurations

Vulners

NVD

Node

jumpserverjumpserverRange<3.8.0

VendorProductVersionCPE
jumpserverjumpserver*cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
jumpserver	jumpserver	*	cpe:2.3:a:jumpserver:jumpserver::::::::

CNA Affected

[
  {
    "vendor": "jumpserver",
    "product": "jumpserver",
    "versions": [
      {
        "version": "< 3.8.0",
        "status": "affected"
      }
    ]
  }
]