Lucene search

GitHub_MCVELIST:CVE-2023-46123

HistoryOct 25, 2023 - 12:13 a.m.

CVE-2023-46123 jumpserver is vulnerable to password brute-force protection bypass via arbitrary IP values

2023-10-2500:13:00

CWE-307

GitHub_M

www.cve.org

cve-2023-46123

jumpserver

password brute-force

ip bypass

core api

patch

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.7 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

jumpserver is an open source bastion machine, professional operation and maintenance security audit system that complies with 4A specifications. A flaw in the Core API allows attackers to bypass password brute-force protections by spoofing arbitrary IP addresses. By exploiting this vulnerability, attackers can effectively make unlimited password attempts by altering their apparent IP address for each request. This vulnerability has been patched in version 3.8.0.

CNA Affected

[
  {
    "vendor": "jumpserver",
    "product": "jumpserver",
    "versions": [
      {
        "version": "< 3.8.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/jumpserver/jumpserver/releases/tag/v3.8.0

github.com/jumpserver/jumpserver/security/advisories/GHSA-hvw4-766m-p89f

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.7 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for CVELIST:CVE-2023-46123