Unrated severityNVD Advisory· Published Oct 30, 2023· Updated Sep 5, 2024

JumpServer default admin user email leak password reset

CVE-2023-46138

Description

JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is admin[@]mycompany[.]com, and users reset their passwords by sending an email. Currently, the domain mycompany.com has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to example.com. Those who cannot upgrade may change the default email domain to example.com manually.

Affected products

Jumpserver/Jumpserverv5
Range: < 3.8.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88mitrex_refsource_MISC
github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cqmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000