Vulnerability Details : CVE-2023-42819
Potential exploit
JumpServer is an open source bastion host. Logged-in users can access and modify the contents of any file on the system. A user can use the 'Job-Template' menu and create a playbook named 'test'. Get the playbook id from the detail page, like 'e0adabef-c38f-492d-bd92-832bacc3df5f'. An attacker can exploit the directory traversal flaw using the provided URL to access and retrieve the contents of the file. `https://jumpserver-ip/api/v1/ops/playbook/e0adabef-c38f-492d-bd92-832bacc3df5f/file/?key=../../../../../../../etc/passwd` a similar method to modify the file content is also present. This issue has been addressed in version 3.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Vulnerability category: Directory traversal
Products affected by CVE-2023-42819
- cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-42819
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-42819
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
8.9
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L |
2.3
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2023-42819
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-42819
-
https://github.com/jumpserver/jumpserver/commit/d0321a74f1713d031560341c8fd0a1859e6510d8
perf: 优化 Playbook 文件创建逻辑 · jumpserver/jumpserver@d0321a7 · GitHubPatch
-
https://github.com/jumpserver/jumpserver/security/advisories/GHSA-ghg2-2whp-6m33
Playbook file uploads cause directory crossing and remote command execution. · Advisory · jumpserver/jumpserver · GitHubMitigation;Vendor Advisory
Jump to