JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication against the SSH service This issue has been patched in versions 3.6.5 and 3.5.6. Users are advised to upgrade. There are no known workarounds for this issue.
CPE | Name | Operator | Version |
---|---|---|---|
jumpserver | ge | 3.6.0 | |
jumpserver | lt | 3.6.5 | |
jumpserver | lt | 3.5.6 |