JumpServer carries critical vulnerabilities in it's Ansible, patch ASAP!
Take action: If you are using JumpServer bastion host, patch it ASAP. For those that can't update, disable the job center functionality since the flaws are in Ansible jobs.
Learn More
JumpServer, an open-source bastion host system for operational security and auditing, has been updated to address critical vulnerabilities tracked as CVE-2024-29201 and CVE-2024-29202 (both withCVSS score 10).
These vulnerabilities are present in versions v3.0.0 through v3.10.6 and have been resolved in the newer version v3.10.7.
- CVE-2024-29201 was caused by a flaw in the validation of Ansible Playbook files within JumpServer's job management, allowing for remote code execution within the Celery container. The exploit could bypass input validation in the Ansible module, enabling attackers to execute arbitrary code with database access and root rights, which could lead to database modifications or the theft of confidential data from all hosts.
- CVE-2024-29202 stemmed from a Jinja2 template injection vulnerability within the same Ansible module, allowing attackers to execute arbitrary code under the same conditions as the other flaw.
For users unable to upgrade immediately to the fixed version, a temporary mitigation strategy involves disabling the job center functionality within JumpServer. This step requires administrative access to navigate through system settings to the task center where the job center functionality can be disabled.
It's imperative for organizations using JumpServer to apply these patches promptly to protect against potential exploitation. More details can be found on the release page (in Chinese).
