Main Vulnerability Database Vulnerabilities #VU128136

Path traversal in JumpServer - CVE-2023-42819

Published: September 26, 2023 / Updated: April 27, 2026

Vulnerability identifier: #VU128136

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-42819

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
JumpServer

Software vendor:
JumpServer

Description

The vulnerability allows a remote user to disclose and modify arbitrary files on the system.

The vulnerability exists due to path traversal in the playbook file upload API endpoint when handling crafted file path parameters. A remote user can send a specially crafted request to disclose and modify arbitrary files on the system.

User interaction is required to create a playbook and obtain its identifier before exploitation.

Remediation

Install security update from vendor's website.

External links

https://github.com/jumpserver/jumpserver/security/advisories/GHSA-ghg2-2whp-6m33

Path traversal in JumpServer - CVE-2023-42819

Description

Remediation

External links

Please verify you're human