Main Vulnerability Database Vulnerabilities #VU128126

Improper Neutralization of Special Elements Used in a Template Engine in JumpServer - CVE-2024-29202

Published: March 29, 2024 / Updated: April 27, 2026

Vulnerability identifier: #VU128126

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-29202

CWE-ID: CWE-1336

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
JumpServer

Software vendor:
JumpServer

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of special elements used in a template engine in JumpServer Ansible job templates when processing user-supplied playbook templates. A remote user can create a specially crafted playbook template and run a job to execute arbitrary code.

Code execution occurs within the Celery container, which runs with root privileges and has database access.

Remediation

Install security update from vendor's website.

External links

https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch

Improper Neutralization of Special Elements Used in a Template Engine in JumpServer - CVE-2024-29202

Description

Remediation

External links

Please verify you're human