Path traversal in JumpServer - CVE-2023-42819

 

Path traversal in JumpServer - CVE-2023-42819

Published: September 26, 2023 / Updated: April 27, 2026


Vulnerability identifier: #VU128136
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-42819
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: JumpServer
Affected software:
JumpServer

Detailed vulnerability description

The vulnerability allows a remote user to disclose and modify arbitrary files on the system.

The vulnerability exists due to path traversal in the playbook file upload API endpoint when handling crafted file path parameters. A remote user can send a specially crafted request to disclose and modify arbitrary files on the system.

User interaction is required to create a playbook and obtain its identifier before exploitation.


How to mitigate CVE-2023-42819

Install security update from vendor's website.

Sources