4.3

CVE-2025-27095

Exploit

EPSS 0.05%
Veröffentlicht 31.03.2025 16:15:23
Zuletzt bearbeitet 12.11.2025 15:50:12
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to 4.8.0 and 3.10.18, an attacker with a low-privileged account can access the Kubernetes session feature and manipulate the kubeconfig file to redirect API requests to an external server controlled by the attacker. This allows the attacker to intercept and capture the Kubernetes cluster token. This can potentially allow unauthorized access to the cluster and compromise its security. This vulnerability is fixed in 4.8.0 and 3.10.18.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fit2cloud ≫ Jumpserver Version < 3.10.18

Fit2cloud ≫ Jumpserver Version >= 4.0.0 < 4.8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.158

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-266 Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

https://github.com/jumpserver/jumpserver/security/advisories/GHSA-5q9w-f4wh-f535

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-27095

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-27095

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27095

EUVD