Jinja2 Template Injection Vulnerability Affects JumpServer's Ansible
CVE-2024-29202

9.9CRITICAL

Key Information:

Vendor

Jumpserver

Status
Jumpserver
Vendor
CVE Published:
29 March 2024

Badges

🟣 EPSS 81%πŸ“° News Worthy

What is CVE-2024-29202?

JumpServer, an open source bastion host and operation maintenance security audit system, is affected by a Jinja2 template injection vulnerability in its Ansible component. This flaw allows attackers to execute arbitrary code within the Celery container, which operates with root privileges. Consequently, this opens a pathway for malicious actors to gain unauthorized access to sensitive information across all connected hosts or to manipulate the underlying database systems. The vulnerability has been addressed in version 3.10.7, providing critical patches to enhance the security posture of the JumpServer ecosystem.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

jumpserver >= 3.0.0, <= 3.10.6

News Articles

favicon imageCybersecurityNews

JumpServer Critical Flaws Let Attackers Execute Arbitrary Code Remotely

The critical vulnerabilities in JumpServer's Ansible that allowed attackers to execute arbitrary remote code have been patched.

References

https://github.com/jumpserver/jumpserver/security/advisor...
x_refsource_CONFIRM
https://www.sonarsource.com/blog/diving-into-jumpserver-a...
x_refsource_MISC

EPSS Score

81% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • πŸ“°

    First article discovered by CybersecurityNews

  • Vulnerability published

  • Vulnerability Reserved

JSON
.