CVE-2023-28110

Exploit

EPSS 0.53%
Veröffentlicht 16.03.2023 17:15:09
Zuletzt bearbeitet 21.11.2024 07:54:25
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fit2cloud ≫ Jumpserver Version < 2.28.8

Fit2cloud ≫ Koko Version- SwPlatformgo

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.53%	0.665

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com	5.7	0.5	5.2	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://github.com/jumpserver/jumpserver/releases/tag/v2.28.8

Patch

Release Notes

https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6x5p-jm59-jh29

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-28110

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-28110

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-28110

EUVD