fkie_cve-2024-40629
Vulnerability from fkie_nvd
Published
2024-07-18 17:15
Modified
2025-03-25 20:15
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the Ansible playbook to write arbitrary files, leading to remote code execution (RCE) in the Celery container. The Celery container runs as root and has database access, allowing an attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been patched in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There are no known workarounds for this vulnerability.
References
security-advisories@github.comhttps://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33vVendor Advisory
security-advisories@github.comhttps://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2
af854a3a-2127-422b-91ae-364da2661108https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33vVendor Advisory
Impacted products
Vendor Product Version
fit2cloud jumpserver *


To clipboard 

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "AF749C2D-ED47-4223-980B-E1FD7A3B1C46",
                     versionEndExcluding: "3.10.12",
                     versionStartIncluding: "3.0.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the Ansible playbook to write arbitrary files, leading to remote code execution (RCE) in the Celery container. The Celery container runs as root and has database access, allowing an attacker to steal all secrets for hosts, create a new JumpServer account with admin privileges, or manipulate the database in other ways. This issue has been patched in release versions 3.10.12 and 4.0.0. It is recommended to upgrade the safe versions. There are no known workarounds for this vulnerability.",
      },
      {
         lang: "es",
         value: "JumpServer es una herramienta de gestión de acceso privilegiado (PAM) de código abierto que proporciona a los equipos de TI y DevOps acceso seguro y bajo demanda a terminales SSH, RDP, Kubernetes, bases de datos y RemoteApp a través de un navegador web. Un atacante puede aprovechar el manual de Ansible para escribir archivos arbitrarios, lo que lleva a la ejecución remota de código (RCE) en el contenedor Celery. El contenedor Celery se ejecuta como root y tiene acceso a la base de datos, lo que permite a un atacante robar todos los secretos de los hosts, crear una nueva cuenta JumpServer con privilegios de administrador o manipular la base de datos de otras formas. Este problema se solucionó en las versiones 3.10.12 y 4.0.0. Se recomienda actualizar las versiones seguras. No se conocen workarounds para esta vulnerabilidad.",
      },
   ],
   id: "CVE-2024-40629",
   lastModified: "2025-03-25T20:15:22.197",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 10,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 6,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.8,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-07-18T17:15:04.613",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v",
      },
      {
         source: "security-advisories@github.com",
         url: "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.