JumpServer Connection Token Leakage Vulnerability Allowing Unauthorized Access and Privilege Escalation
Vulnerability
A vulnerability exists in JumpServer, an open-source bastion host and operation maintenance security audit system, in versions prior to v3.10.20-lts and v4.10.11-lts. The issue allows an authenticated, non-privileged user to access connection tokens belonging to other users through the super-connection API endpoint. Instead of limiting the response to tokens owned by the requester, the endpoint exposes tokens from all users. This flaw enables an attacker to use the retrieved tokens to connect to managed assets on behalf of the original token owners, leading to unauthorized access and privilege escalation on sensitive systems.
Impact
Exploitation of this vulnerability allows for unauthorized access to managed assets, impersonating other users and escalating privileges across sensitive systems.
Remediation
Users can upgrade to JumpServer versions v3.10.20-lts or v4.10.11-lts to address this vulnerability. Alternatively, Nginx can be configured to block GET requests on the super-connection API endpoint.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.