Highibuler

**Name of the Vulnerable Software and Affected Versions** JumpServer versions 3.0.0 through 3.5.4 JumpServer versions 3.6.0 through 3.6.3 **Description** The issue is related to a weakness in the authentication procedure of JumpServer, an open-source bastion host and professional operation and maintenance security audit system. This weakness can be exploited by a remote attacker to cause a denial of service. Specifically, the `/api/v1/terminal/sessions/` API endpoint has broken permission control, allowing anonymous access. The `SessionViewSet` permission classes are set to `[RBACPermission | IsSessionAssignee]`, with a relation of "or", meaning any matched permission will be allowed. **Recommendations** For JumpServer versions 3.0.0 through 3.5.4, upgrade to version 3.5.5 or later. For JumpServer versions 3.6.0 through 3.6.3, upgrade to version 3.6.4 or later. After upgrading, visit the API `$HOST/api/v1/terminal/sessions/?limit=1` to verify that the expected HTTP response code is 401 (`not authenticated`). As a temporary workaround, consider restricting access to the `/api/v1/terminal/sessions/` API endpoint to minimize the risk of exploitation.