Jumpserver Security Vulnerabilities and Issues — Jumpserver CVE List

Lucene search

Fit2cloudJumpserver

7 matches found

CVE•added 2023/09/27 3:19 p.m.•2608 views

CVE-2023-42820

JumpServer is an open source bastion host. This vulnerability is due to exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled users are not affect. Users not using local authe...

8.2CVSS7.5AI score0.54081EPSS

CVE•added 2023/09/27 7:15 p.m.•2496 views

CVE-2023-43652

JumpServer is an open source bastion host. As an unauthenticated user, it is possible to authenticate to the core API with a username and an SSH public key without needing a password or the corresponding SSH private key. An SSH public key should be considered public knowledge and should not used as...

9.1CVSS9AI score0.00556EPSS

CVE•added 2023/09/27 3:19 p.m.•2483 views

CVE-2023-42819

JumpServer is an open source bastion host. Logged-in users can access and modify the contents of any file on the system. A user can use the 'Job-Template' menu and create a playbook named 'test'. Get the playbook id from the detail page, like 'e0adabef-c38f-492d-bd92-832bacc3df5f'. An attacker can ...

8.9CVSS8.6AI score0.31442EPSS

CVE•added 2023/09/27 9:15 p.m.•76 views

CVE-2023-43651

JumpServer is an open source bastion host. An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the system. Through the WEB CLI interface provided...

9.9CVSS9.7AI score0.10716EPSS

CVE•added 2023/09/27 9:15 p.m.•57 views

CVE-2023-42818

JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication agains...

9.8CVSS7.4AI score0.00174EPSS

CVE•added 2023/09/27 7:15 p.m.•55 views

CVE-2023-43650

JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code, ra...

8.2CVSS7.9AI score0.00328EPSS

CVE•added 2023/09/15 9:15 p.m.•46 views

CVE-2023-42442

JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affec...

8.2CVSS6.5AI score0.82171EPSS