Main Vulnerability Database Vulnerabilities #VU128138

Information disclosure in JumpServer - CVE-2023-42820

Published: September 26, 2023 / Updated: April 27, 2026

Vulnerability identifier: #VU128138

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-42820

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
JumpServer

Software vendor:
JumpServer

Description

The vulnerability allows a remote attacker to reset user passwords.

The vulnerability exists due to exposure of the random number seed in the verification code generation process when handling password reset verification codes through the API. A remote attacker can replay randomly generated verification codes to reset user passwords.

Instances with MFA enabled are not affected. Deployments not using local authentication are also not affected.

Remediation

Install security update from vendor's website.

External links

https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7prv-g565-82qp

Information disclosure in JumpServer - CVE-2023-42820

Description

Remediation

External links

Please verify you're human