CVE-2023-42820

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-42820
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-42820.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-42820
Related
  • GHSA-7prv-g565-82qp
Published
2023-09-27T15:19:33Z
Modified
2025-01-08T15:11:58.973420Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Summary
[none]
Details

JumpServer is an open source bastion host. This vulnerability is due to exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled users are not affect. Users not using local authentication are also not affected. Users are advised to upgrade to either version 2.28.19 or to 3.6.5. There are no known workarounds or this issue.

References

Affected packages

Git / github.com/jumpserver/jumpserver

Affected ranges

Type
GIT
Repo
https://github.com/jumpserver/jumpserver
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

0.*

0.1.0
0.1.1
0.2.0
0.2.1
0.3.0-beta
0.3.1
0.3.2

1.*

1.0.0
1.1.0
1.1.1
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
1.4.10
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9

2.*

2.0.0
2.0.1

v1.*

v1.4.10
v1.4.4
v1.4.7

v2.*

v2.1.0
v2.10.0
v2.11.0
v2.12.0
v2.13.0
v2.15.0
v2.15.1
v2.17.0
v2.18.0
v2.18.1
v2.19.0
v2.2.0
v2.2.1
v2.20.0
v2.21.0
v2.22.0
v2.23.0
v2.24.0
v2.25.0
v2.26.0
v2.27.0
v2.3.0
v2.3.1
v2.4.0
v2.5.0
v2.6.0
v2.7.0
v2.8.0
v2.9.0