Alert number: KAIFA-KSIRT-202407-18
Published : 2024/7/18
Updated on : 2024/7/18
1. Vulnerability Overview
JumpServer is an open source bastion host and operation and maintenance security audit system.
Recently, we detected that an arbitrary file write vulnerability (CVE-2024-40629) was fixed in JumpServer, which may lead to stealing sensitive information on the host, creating a new JumpServer account with administrator privileges, or manipulating the database.
In addition, there is an arbitrary file read vulnerability (CVE-2024-40628) that could lead to the disclosure of sensitive information.
Affected users are advised to conduct self-inspection of their assets and take preventive measures to avoid hacker attacks.
2. Versions and fixes
|
Affected Products |
Patched version |
Affected versions |
|
JumpServer |
v3.10.12, v4.0.0 |
v3.0.0 - v3.10.11 |
III. Impact and Consequences
Threat actors can use ansible playbook to read arbitrary files in the celery container, resulting in sensitive information leakage
Vulnerability Scoring
Vulnerability using KAIFA AMI scoring rules for grading
Final score: 10
V. Technical Details
Prerequisites for exploiting the vulnerability: A user with low privileges can write files using Ansible playbook .
Vulnerability details:
Recently, we detected that an arbitrary file write vulnerability (CVE-2024-40629) was fixed in JumpServer. There is an arbitrary file write vulnerability in JumpServer v3.0.0 - v3.10.11. Attackers with low-privileged user accounts can use Ansible playbook to write arbitrary files, thereby executing arbitrary code in the Celery container. Since the Celery container runs with root privileges and has database access rights, it may lead to stealing sensitive information on the host, creating a new JumpServer account with administrator privileges, or manipulating the database.
In addition, there is an arbitrary file read vulnerability (CVE-2024-40628) in JumpServer v3.0.0 - v3.10.11. Threat actors can use ansible playbook to read arbitrary files in the celery container, resulting in sensitive information leakage.
6. Circumvention Measures
none
7. Version acquisition path
Services that support automatic updates will receive system update prompts, and users can perform system updates to fix the vulnerabilities. Or they can manually download official website plug-ins to update and fix the vulnerabilities.
8. Vulnerability Source
Supplier notification
IX. Update Records
KAIFA-KSIRT-Initial
10. FAQs
none
11. Developing external security response services
K AIFA has always advocated doing its utmost to protect the ultimate interests of product users, following the principle of responsible disclosure of security incidents, and handling product safety issues through the product safety issue handling mechanism.
12. Statement
This document is provided "as is" without any express, implied or statutory warranty, including (but not limited to) the warranty of merchantability, fitness for purpose and non-infringement. In no event shall K AIFA or its directly or indirectly controlled subsidiaries, or its suppliers, be liable for any loss, including direct, indirect, incidental, consequential loss of business profits or special damages. You shall bear all legal liabilities arising from the use of this document in any way. K AIFA may modify or update the content and information contained in this document at any time.