Improper access control in JumpServer - CVE-2023-43651

 

Improper access control in JumpServer - CVE-2023-43651

Published: September 27, 2023 / Updated: April 27, 2026


Vulnerability identifier: #VU128133
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-43651
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: JumpServer
Affected software:
JumpServer

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the host system.

The vulnerability exists due to improper access control in the MongoDB shell session exposed through the WEB CLI interface when handling authenticated MongoDB shell access. A remote user can execute arbitrary commands in the MongoDB session to execute arbitrary code on the host system.

The issue may be leveraged to gain root privileges on the host system.


How to mitigate CVE-2023-43651

Install security update from vendor's website.

Sources