CVE-2023-46123

jumpserver is an open source bastion machine, professional operation and maintenance security audit system that complies with 4A specifications. A flaw in the Core API allows attackers to bypass password brute-force protections by spoofing arbitrary IP addresses. By exploiting this vulnerability, attackers can effectively make unlimited password attempts by altering their apparent IP address for each request. This vulnerability has been patched in version 3.8.0.
Configurations

Configuration 1 (hide)

cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*

History

01 Nov 2023, 16:40

Type Values Removed Values Added
CPE cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
First Time Fit2cloud
Fit2cloud jumpserver
CWE CWE-307
References (MISC) https://github.com/jumpserver/jumpserver/releases/tag/v3.8.0 - (MISC) https://github.com/jumpserver/jumpserver/releases/tag/v3.8.0 - Release Notes
References (MISC) https://github.com/jumpserver/jumpserver/security/advisories/GHSA-hvw4-766m-p89f - (MISC) https://github.com/jumpserver/jumpserver/security/advisories/GHSA-hvw4-766m-p89f - Exploit, Vendor Advisory

25 Oct 2023, 18:17

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-25 18:17

Updated : 2024-02-28 20:33


NVD link : CVE-2023-46123

Mitre link : CVE-2023-46123

CVE.ORG link : CVE-2023-46123


JSON object : View

Products Affected

fit2cloud

  • jumpserver
CWE
CWE-307

Improper Restriction of Excessive Authentication Attempts