Lucene search

[email protected]NVD:CVE-2023-46138

HistoryOct 31, 2023 - 12:15 a.m.

CVE-2023-46138

2023-10-3100:15:10

CWE-640

[email protected]

web.nvd.nist.gov

jumpserver

security audit

4a specifications

default email

password reset

domain registration

patch

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

4.7 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is admin[@]mycompany[.]com, and users reset their passwords by sending an email. Currently, the domain mycompany.com has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to example.com. Those who cannot upgrade may change the default email domain to example.com manually.

Affected configurations

NVD

Node

fit2cloudjumpserverRange<3.8.0

References

github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88

github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

4.7 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for NVD:CVE-2023-46138

osv1 cvelist1 cve1 prion1