CVE-2024-29202

Exploit

EPSS 81.15%
Veröffentlicht 29.03.2024 15:15:12
Zuletzt bearbeitet 25.03.2025 20:15:21
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fit2cloud ≫ Jumpserver Version >= 3.0.0 < 3.10.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	81.15%	0.991

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch

Vendor Advisory

Exploit

https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2

https://nvd.nist.gov/vuln/detail/CVE-2024-29202

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-29202

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-29202

EUVD