CVE-2023-28110

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-28110

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28110.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-28110

Aliases

GHSA-6x5p-jm59-jh29

Published

2023-03-16T16:18:49.977Z

Modified

2025-11-29T14:10:05.720331Z

Severity

5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H CVSS Calculator

Summary

JumpServer Koko vulnerable to Command Injection for Kubernetes Connection

Details

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8.

Database specific

{
    "cwe_ids": [
        "CWE-77"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28110.json"
}

References

Affected packages

Git / github.com/jumpserver/jumpserver

Affected ranges

Type: GIT
Repo: https://github.com/jumpserver/jumpserver
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

46d5ab950b2c4c6ed7875e423e0c15a27bc4a4ed

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28110.json"