8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
5.2 Medium
AI Score
Confidence
High
0.802 High
EPSS
Percentile
98.3%
JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api /api/v1/terminal/sessions/
permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to [RBACPermission | IsSessionAssignee]
, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api $HOST/api/v1/terminal/sessions/?limit=1
. The expected http response code is 401 (not_authenticated
).
Vendor | Product | Version | CPE |
---|---|---|---|
jumpserver | jumpserver | * | cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:* |
jumpserver | jumpserver | * | cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:* |
[
{
"vendor": "jumpserver",
"product": "jumpserver",
"versions": [
{
"version": ">= 3.0.0, < 3.5.5",
"status": "affected"
},
{
"version": ">= 3.6.0, < 3.6.4",
"status": "affected"
}
]
}
]
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
5.2 Medium
AI Score
Confidence
High
0.802 High
EPSS
Percentile
98.3%