CVE-2023-42442
published 2023-09-15CVE-2023-42442: JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions…
PriorityP259medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
55.86%
98.9th percentile
JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fit2cloud | jumpserver | >= 3.0.0 < 3.5.5 | 3.5.5 |
| fit2cloud | jumpserver | >= 3.6.0 < 3.6.4 | 3.6.4 |
| jumpserver | jumpserver | — | — |
| jumpserver | jumpserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
GET /api/v1/terminal/sessions/ -> HTTP 200 with body containing '"terminal":' AND '"user_id":"' AND '"account_id":' (unauthenticated access)
- →After patching (versions 3.5.5 / 3.6.4), unauthenticated requests to /api/v1/terminal/sessions/?limit=1 must return HTTP 401 (not_authenticated). A 200 response confirms the host is still vulnerable. ↗
- →The root cause is SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]` (OR relation), meaning any matched permission — including anonymous — is allowed. Look for unauthenticated access patterns to this endpoint in web/proxy logs. ↗
- →FOFA queries 'title="JumpServer"' or 'title="jumpserver"' can be used to identify exposed JumpServer instances for proactive scanning.
- ·Session replays stored in S3, OSS, or other cloud storage are NOT affected by this vulnerability — only locally stored replays are exposed. ↗
- ·The vulnerability affects JumpServer versions 3.0.0 through 3.5.4 and 3.6.0 through 3.6.3. Versions 3.5.5 and 3.6.4 contain the fix. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
JumpServer > 3.6.4 - Information Disclosure
nuclei·CVSS 5.3
CVE-2023-42442 [MEDIUM] JumpServer > 3.6.4 - Information Disclosure
JumpServer > 3.6.4 - Information Disclosure
JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).
Template:
id: CVE-2023-42442
info:
n
No writeups or analysis indexed.
https://github.com/jumpserver/jumpserver/blob/v3.6.1/apps/terminal/api/session/session.py#L91https://github.com/jumpserver/jumpserver/commit/0a58bba59cd275bab8e0ae58bf4b359fbc5eb74ahttps://github.com/jumpserver/jumpserver/security/advisories/GHSA-633x-3f4f-v9rwhttps://github.com/jumpserver/jumpserver/blob/v3.6.1/apps/terminal/api/session/session.py#L91https://github.com/jumpserver/jumpserver/commit/0a58bba59cd275bab8e0ae58bf4b359fbc5eb74ahttps://github.com/jumpserver/jumpserver/security/advisories/GHSA-633x-3f4f-v9rw
2023-09-15
Published