CVE-2023-42820

Random seed leakage in Jumpserver

CVSS 7 HIGHEPSS 5.4%CWE-200

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7EPSS 5.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

26 sep 2023Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

JumpServer is an open source bastion host. This vulnerability is due to exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled users are not affect. Users not using local authentication are also not affected. Users are advised to upgrade to either version 2.28.19 or to 3.6.5. There are no known workarounds or this issue.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L

Productos afectados

jumpserver · jumpserver

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/jumpserver/jumpserver/commit/42337f0d00b2a8d45ef063eb5b7deeef81597da5 https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7prv-g565-82qp