Lucene search

[email protected]NVD:CVE-2023-46123

HistoryOct 25, 2023 - 6:17 p.m.

CVE-2023-46123

2023-10-2518:17:36

CWE-307

[email protected]

web.nvd.nist.gov

jumpserver

open source

bastion machine

security flaw

version 3.8.0

core api

password brute-force

ip address spoofing

vulnerability

patch

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

jumpserver is an open source bastion machine, professional operation and maintenance security audit system that complies with 4A specifications. A flaw in the Core API allows attackers to bypass password brute-force protections by spoofing arbitrary IP addresses. By exploiting this vulnerability, attackers can effectively make unlimited password attempts by altering their apparent IP address for each request. This vulnerability has been patched in version 3.8.0.

Affected configurations

NVD

Node

fit2cloudjumpserverRange<3.8.0

References

github.com/jumpserver/jumpserver/releases/tag/v3.8.0

github.com/jumpserver/jumpserver/security/advisories/GHSA-hvw4-766m-p89f

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for NVD:CVE-2023-46123

cvelist1 osv1 cve1 prion1