CVE-2023-46123

low-risk
Published 2023-10-25

jumpserver is an open source bastion machine, professional operation and maintenance security audit system that complies with 4A specifications. A flaw in the Core API allows attackers to bypass password brute-force protections by spoofing arbitrary IP addresses. By exploiting this vulnerability, attackers can effectively make unlimited password attempts by altering their apparent IP address for each request. This vulnerability has been patched in version 3.8.0.

Do I need to act?

-
0.44% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Fit2Cloud

References (5)

Release Notes https://github.com/jumpserver/jumpserver/releases/tag/v3.8.0
Exploit https://github.com/jumpserver/jumpserver/security/advisories/GHSA-hvw4-766m-p89f
https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-int...
Release Notes https://github.com/jumpserver/jumpserver/releases/tag/v3.8.0
Exploit https://github.com/jumpserver/jumpserver/security/advisories/GHSA-hvw4-766m-p89f
28
/ 100
low-risk
Severity 21/34 · High
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal