Lucene search

GitHub_MCVE-2023-46123

HistoryOct 25, 2023 - 6:17 p.m.

CVE-2023-46123

2023-10-2518:17:36

CWE-307

GitHub_M

web.nvd.nist.gov

jumpserver

core api

password brute-force

spoofing

ip address

vulnerability

security patch

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

21.7%

JSON

jumpserver is an open source bastion machine, professional operation and maintenance security audit system that complies with 4A specifications. A flaw in the Core API allows attackers to bypass password brute-force protections by spoofing arbitrary IP addresses. By exploiting this vulnerability, attackers can effectively make unlimited password attempts by altering their apparent IP address for each request. This vulnerability has been patched in version 3.8.0.

Affected configurations

Nvd

Vulners

Vulnrichment

Node

fit2cloudjumpserverRange<3.8.0

VendorProductVersionCPE
fit2cloudjumpserver*cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fit2cloud	jumpserver	*	cpe:2.3:a:fit2cloud:jumpserver::::::::

CNA Affected

[
  {
    "vendor": "jumpserver",
    "product": "jumpserver",
    "versions": [
      {
        "version": "< 3.8.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/jumpserver/jumpserver/releases/tag/v3.8.0

github.com/jumpserver/jumpserver/security/advisories/GHSA-hvw4-766m-p89f

Social References

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

21.7%

JSON

Related for CVE-2023-46123