Lucene search

GitHub_MCVELIST:CVE-2023-46138

HistoryOct 30, 2023 - 11:53 p.m.

CVE-2023-46138 JumpServer default admin user email leak password reset

2023-10-3023:53:15

CWE-640

GitHub_M

www.cve.org

cve-2023-46138

jumpserver

default email

password reset

security audit

4a specifications

patch

version 3.8.0

domain

mycompany.com

example.com

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

0.0005 Low

EPSS

Percentile

17.0%

JSON

JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is admin[@]mycompany[.]com, and users reset their passwords by sending an email. Currently, the domain mycompany.com has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to example.com. Those who cannot upgrade may change the default email domain to example.com manually.

CNA Affected

[
  {
    "vendor": "jumpserver",
    "product": "jumpserver",
    "versions": [
      {
        "version": "< 3.8.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88

github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for CVELIST:CVE-2023-46138