Main Vulnerability Database Vulnerabilities #VU128133

Improper access control in JumpServer - CVE-2023-43651

Published: September 27, 2023 / Updated: April 27, 2026

Vulnerability identifier: #VU128133

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-43651

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
JumpServer

Software vendor:
JumpServer

Description

The vulnerability allows a remote user to execute arbitrary code on the host system.

The vulnerability exists due to improper access control in the MongoDB shell session exposed through the WEB CLI interface when handling authenticated MongoDB shell access. A remote user can execute arbitrary commands in the MongoDB session to execute arbitrary code on the host system.

The issue may be leveraged to gain root privileges on the host system.

Remediation

Install security update from vendor's website.

External links

https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96

Improper access control in JumpServer - CVE-2023-43651

Description

Remediation

External links

Please verify you're human