Lucene search
PRIOn knowledge basePRION:CVE-2023-43650HistorySep 27, 2023 - 7:15 p.m.
Authentication flaw
2023-09-2719:15:00
PRIOn knowledge base
www.prio-n.com
8
jumpserver
bastion host
password reset
vulnerability
rate limiting
verification code
brute-force attacks
6-digit code
validation attempts
upgrade
0.001 Low
EPSS
Percentile
37.6%
JumpServer is an open source bastion host. The verification code for resetting user’s password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code, ranging from 000000 to 999999, to facilitate the password reset. Although the code is only available in 1 minute, this window potentially allows for up to 1,000,000 validation attempts. This issue has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
| CPE | Name | Operator | Version |
|---|---|---|---|
| jumpserver | ge | 3.0.0 | |
| jumpserver | lt | 3.7.1 | |
| jumpserver | ge | 2.0.0 | |
| jumpserver | lt | 2.28.20 |
Related
osv
osv
CVE-2023-43650
2023-09-27 19:15:11
cve
cve
CVE-2023-43650
2023-09-27 19:15:11
nvd
nvd
CVE-2023-43650
2023-09-27 19:15:11
cvelist
cvelist