CVE-2023-42820

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-42820

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-42820.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-42820

Aliases

GHSA-7prv-g565-82qp

Published

2023-09-26T20:35:22Z

Modified

2025-10-30T19:32:07Z

Severity

7.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L CVSS Calculator

Summary

Random seed leakage in Jumpserver

Details

JumpServer is an open source bastion host. This vulnerability is due to exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled users are not affect. Users not using local authentication are also not affected. Users are advised to upgrade to either version 2.28.19 or to 3.6.5. There are no known workarounds or this issue.

Database specific

{
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

Git / github.com/jumpserver/jumpserver

Affected ranges

Type

GIT

Repo

https://github.com/jumpserver/jumpserver

Events

Introduced

f52a0ce96030c048b313803c54df11a17aa58999

Fixed

22df4cba86cfe58cba94408a14b08a3292a07f5c

Database specific

{
    "versions": [
        {
            "introduced": "2.24"
        },
        {
            "fixed": "2.28.19"
        }
    ]
}

Type

GIT

Repo

https://github.com/jumpserver/jumpserver

Events

Introduced

7d3eb8c75d7edeb1cca3da25ae435acf678c4f69

Fixed

811d64be69c242719be21275f29558cb12671e77

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.6.5"
        }
    ]
}