PT-2023-5833 · Unknown · Jumpserver
Edwardzpeng
+2
·
Publicado
2023-09-14
·
Atualizado
2025-08-26
·
CVE-2023-42820
CVSS v3.1
7.0
Alta
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
JumpServer versions prior to 2.28.19
JumpServer versions prior to 3.6.5
Description
The issue is related to the exposure of the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled, users are not affected. Users not using local authentication are also not affected.
Recommendations
For versions prior to 2.28.19, upgrade to version 2.28.19 or later.
For versions prior to 3.6.5, upgrade to version 3.6.5 or later.
As a temporary workaround, consider restricting access to the API endpoint that exposes the random number seed until a patch is available.
Avoid using the verification codes generated by the affected API endpoint until the issue is resolved.
Exploit
Correção
Information Disclosure
Improper Access Control
Code Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Jumpserver