Jumpserver
by Jumpserver
Source repositories
CVEs (26)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-43652 | 0.00 | — | 0.01 | Sep 27, 2023 | JumpServer is an open source bastion host. As an unauthenticated user, it is possible to authenticate to the core API with a username and an SSH public key without needing a password or the corresponding SSH private key. An SSH public key should be considered public knowledge… | |||
| CVE-2023-42819 | 0.00 | — | 0.02 | Sep 26, 2023 | JumpServer is an open source bastion host. Logged-in users can access and modify the contents of any file on the system. A user can use the 'Job-Template' menu and create a playbook named 'test'. Get the playbook id from the detail page, like… | |||
| CVE-2023-42820 | 0.00 | — | 0.05 | Sep 26, 2023 | JumpServer is an open source bastion host. This vulnerability is due to exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled users are not affect. Users… | |||
| CVE-2022-42225 | 0.00 | — | 0.01 | May 24, 2023 | Jumpserver 2.10.0 <= version <= 2.26.0 contains multiple stored XSS vulnerabilities because of improper filtering of user input, which can execute any javascript under admin's permission. | |||
| CVE-2023-28110 | 0.00 | — | 0.01 | Mar 16, 2023 | Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can… | |||
| CVE-2021-3169 | 0.00 | — | 0.03 | Jul 23, 2021 | An issue in Jumpserver before 2.6.2, before 2.5.4, before 2.4.5 allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets. |
- CVE-2023-43652Sep 27, 2023risk 0.00cvss —epss 0.01
JumpServer is an open source bastion host. As an unauthenticated user, it is possible to authenticate to the core API with a username and an SSH public key without needing a password or the corresponding SSH private key. An SSH public key should be considered public knowledge…
- CVE-2023-42819Sep 26, 2023risk 0.00cvss —epss 0.02
JumpServer is an open source bastion host. Logged-in users can access and modify the contents of any file on the system. A user can use the 'Job-Template' menu and create a playbook named 'test'. Get the playbook id from the detail page, like…
- CVE-2023-42820Sep 26, 2023risk 0.00cvss —epss 0.05
JumpServer is an open source bastion host. This vulnerability is due to exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled users are not affect. Users…
- CVE-2022-42225May 24, 2023risk 0.00cvss —epss 0.01
Jumpserver 2.10.0 <= version <= 2.26.0 contains multiple stored XSS vulnerabilities because of improper filtering of user input, which can execute any javascript under admin's permission.
- CVE-2023-28110Mar 16, 2023risk 0.00cvss —epss 0.01
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can…
- CVE-2021-3169Jul 23, 2021risk 0.00cvss —epss 0.03
An issue in Jumpserver before 2.6.2, before 2.5.4, before 2.4.5 allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
Page 2 of 2