Dark
Light

Critical JumpServer flaws can let attackers run remote code arbitrarily

1 min read
48 views




JumpServer Critical Flaws – Attackers Execute Arbitrary Code

TLDR:

  • Critical vulnerabilities in JumpServer’s Ansible patched after allowing attackers to execute arbitrary remote code.
  • Vulnerabilities identified as CVE-2024-29201 and CVE-2024-29202 impact versions v3.0.0-v3.10.6.

The critical vulnerabilities in JumpServer’s Ansible that allowed attackers to execute arbitrary remote code have been patched. With a CVSS base score of 10, the critical vulnerabilities identified as CVE-2024-29201 and CVE-2024-29202 impact versions v3.0.0-v3.10.6. A jump server is an intermediary device that uses a supervised secure channel to route traffic across firewalls. It is often most advantageous to large and small enterprises since it provides more visibility and control over internal servers and domains, as well as the ability to stratify security zones for increased breach prevention.

CVE-2024-29201 – Insecure Ansible Playbook Validation

According to GitHub reports, the vulnerability arises from bypassing input validation in the Ansible module of JumpServer. Attackers can run arbitrary code within the Celery container by evading JumpServer’s Ansible input validation mechanism. Because the Celery container has database access and root rights, attackers could modify the database or steal confidential data from every host.

CVE-2024-29202 – Jinja2 template injection in Ansible

In this case, attackers can run arbitrary code inside the Celery container by taking advantage of a Jinja2 template injection vulnerability in JumpServer’s Ansible. Because the Celery container has database access and root rights, attackers could modify the database or steal confidential data from every host.

Affected Versions: v3.0.0-v3.10.6

Fixed Version: v3.10.7

Hence, to avoid these critical vulnerabilities, users are advised to apply the patch as soon as feasible.


Previous Story

Cal Poly’s new program boosts cybersecurity workforce development efforts

Next Story

Shearwater: London cyber firm awaits big deals, misses forecasts

Latest from News