PT-2023-5833 · Unknown · Jumpserver
Edwardzpeng
+2
·
Published
2023-09-14
·
Updated
2025-08-26
·
CVE-2023-42820
CVSS v3.1
7.0
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
JumpServer versions prior to 2.28.19
JumpServer versions prior to 3.6.5
Description
The issue is related to the exposure of the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled, users are not affected. Users not using local authentication are also not affected.
Recommendations
For versions prior to 2.28.19, upgrade to version 2.28.19 or later.
For versions prior to 3.6.5, upgrade to version 3.6.5 or later.
As a temporary workaround, consider restricting access to the API endpoint that exposes the random number seed until a patch is available.
Avoid using the verification codes generated by the affected API endpoint until the issue is resolved.
Exploit
Fix
Information Disclosure
Improper Access Control
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jumpserver