Service Notices
JumpServer Unauthorized Access Vulnerability (CVE-2023-42442)
Sep 20, 2023 GMT+08:00
I. Overview
Recently, JumpServer has disclosed an unauthorized access vulnerability (CVE-2023-42442) in specific versions. Due to a defect in system permission configuration, an unauthenticated attacker can exploit this vulnerability to directly access files or sensitive information on the target server. The POC of this vulnerability has been disclosed and the risk is high.
JumpServer is an open source bastion host and a professional operation and maintenance security audit system. If you are a JumpServer user, check your JumpServer version and implement timely security hardening.
References:
https://github.com/jumpserver/jumpserver/security/advisories/GHSA-633x-3f4f-v9rw
https://nvd.nist.gov/vuln/detail/CVE-2023-42442
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
3.0.0 <= JumpServer <= 3.5.4
3.6.0 <= JumpServer <= 3.6.3
Secure versions:
JumpServer >= v3.5.5
JumpServer >= v3.6.4
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.
https://github.com/jumpserver/jumpserver/tags
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.