Platform
python
Component
jumpserver/jumpserver
Fixed in
3.0.1
CVE-2024-29201 is a critical Remote Code Execution (RCE) vulnerability discovered in JumpServer, an open-source bastion host and security audit system. This flaw allows attackers to bypass input validation within the Ansible component, enabling arbitrary code execution within the Celery container. The vulnerability impacts JumpServer versions 3.0.0 up to and including 3.10.6, and a fix is available in version 3.10.7.
The impact of CVE-2024-29201 is severe. Successful exploitation allows an attacker to execute arbitrary code within the Celery container, which runs with root privileges and has direct access to the JumpServer database. This grants the attacker the ability to steal sensitive information from all managed hosts, modify user credentials, and potentially gain complete control over the JumpServer infrastructure. The ability to manipulate the database could lead to data breaches, unauthorized access, and disruption of critical operations. The root privileges within the container significantly amplify the potential damage, allowing for lateral movement and broader compromise of the environment.
This vulnerability is considered highly exploitable due to the ease of bypassing the input validation and the root privileges granted to the Celery container. It has been added to the CISA KEV catalog, indicating a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. The vulnerability was publicly disclosed on 2024-03-29.
Exploit Status
EPSS
68.52% (99% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-29201 is to immediately upgrade JumpServer to version 3.10.7 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the Celery container or disabling the Ansible functionality. Monitor JumpServer logs for suspicious activity related to Ansible execution. Implement a Web Application Firewall (WAF) with rules to detect and block malicious requests targeting the Ansible endpoint. After upgrading, verify the fix by attempting to trigger the vulnerable Ansible endpoint with a crafted payload and confirming that the execution is blocked.
Update JumpServer to version 3.10.7 or higher. This version fixes the insecure Ansible playbook validation vulnerability that allows remote code execution. The update will mitigate the risk of attackers executing arbitrary code within the Celery container.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-29201 is a critical Remote Code Execution vulnerability in JumpServer versions 3.0.0 through 3.10.6, allowing attackers to execute arbitrary code via Ansible.
You are affected if you are running JumpServer versions 3.0.0 to 3.10.6. Verify your version and upgrade immediately.
Upgrade JumpServer to version 3.10.7 or later to resolve the vulnerability. If immediate upgrade is not possible, consider temporary workarounds like restricting network access.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation, and it's been added to the CISA KEV catalog.
Refer to the official JumpServer security advisory for detailed information and updates: https://github.com/JumpCloud/JumpServer/security/advisories/GHSA-9934-3437-4399
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.