CVE-2023-43650

Name of the Vulnerable Software and Affected Versions JumpServer versions prior to 2.28.20 JumpServer versions prior to 3.7.1

Description The verification code for resetting a user's password in JumpServer is vulnerable to brute-force attacks due to the absence of rate limiting. This allows for up to 1,000,000 validation attempts within a 1-minute window. The issue is related to the 6-digit verification code sent to users to facilitate password reset.

Recommendations For versions prior to 2.28.20, upgrade to version 2.28.20 or later. For versions prior to 3.7.1, upgrade to version 3.7.1 or later. As a temporary workaround, consider implementing rate limiting on the password reset feature until a patch is available. Restrict access to the password reset functionality to minimize the risk of exploitation.