CVE-2023-46138

EPSS 0.04%
Veröffentlicht 31.10.2023 00:15:10
Zuletzt bearbeitet 21.11.2024 08:27:57
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is `admin[@]mycompany[.]com`, and users reset their passwords by sending an email. Currently, the domain `mycompany.com` has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to `example.com`. Those who cannot upgrade may change the default email domain to `example.com` manually.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fit2cloud ≫ Jumpserver Version < 3.8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.122

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-640 Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

https://github.com/jumpserver/jumpserver/commit/15a5dda9e0cdbe2ac618a6b2a09df8928f485c88

Patch

https://github.com/jumpserver/jumpserver/security/advisories/GHSA-9mrc-75cv-46cq

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-46138

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-46138

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-46138

EUVD