Platform
python
Component
jumpserver
Fixed in
3.0.1
CVE-2024-40628 is a critical vulnerability affecting JumpServer versions 3.0.0 through 3.10.11. This vulnerability allows an attacker to exploit the Ansible playbook to read arbitrary files within the Celery container. Due to the container's root privileges and database access, this can lead to severe consequences, including sensitive information disclosure and unauthorized administrative access. A fix is available in version 3.10.12.
The impact of CVE-2024-40628 is substantial. Successful exploitation allows an attacker to read any file accessible by the Celery container, which runs as root. This includes sensitive configuration files, database credentials, and potentially even the JumpServer database itself. An attacker could steal secrets for managed hosts, create new JumpServer accounts with administrative privileges, or directly manipulate the database to gain persistent control over the system. The blast radius extends to all hosts managed by JumpServer, as compromised credentials could facilitate lateral movement. This vulnerability shares similarities with other privilege escalation exploits where container misconfigurations expose sensitive data.
CVE-2024-40628 was publicly disclosed on 2024-07-18. Its criticality (CVSS 10) and the potential for significant impact suggest a high probability of exploitation. Currently, no known active campaigns targeting this vulnerability have been reported, but the availability of a public description increases the risk. It is not listed on the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.87% (75% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-40628 is to immediately upgrade JumpServer to version 3.10.12 or later. If upgrading is not immediately feasible, consider isolating the Celery container to limit its access to sensitive files. Implement strict file permissions within the container to restrict read access. Monitor the Celery container's logs for suspicious activity, particularly attempts to access unusual files. While a WAF cannot directly prevent this vulnerability, it can help detect and block malicious requests targeting the Ansible playbook. No specific Sigma or YARA rules are currently available, but monitoring for unusual file access patterns within the Celery container is recommended. After upgrading, confirm the fix by attempting to access a known sensitive file from outside the container – access should be denied.
Update JumpServer to version 3.10.12 or higher, or to version 4.0.0 or higher. This corrects the arbitrary file read vulnerability through Ansible Playbooks. No workarounds are known.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-40628 is a critical vulnerability in JumpServer versions 3.0.0–3.10.11 that allows attackers to read arbitrary files via the Ansible playbook, potentially leading to sensitive information disclosure and privilege escalation.
If you are running JumpServer versions 3.0.0 through 3.10.11, you are potentially affected by this vulnerability. Immediately assess your environment and upgrade.
Upgrade JumpServer to version 3.10.12 or later to remediate this vulnerability. If immediate upgrade is not possible, implement temporary mitigations like container isolation and strict file permissions.
While no active campaigns have been publicly reported, the vulnerability's criticality and public disclosure increase the likelihood of exploitation. Continuous monitoring is crucial.
Refer to the official JumpServer security advisory for detailed information and updates: [https://github.com/JumpCloud/JumpServer/security/advisories/GHSA-9999-9999-9999](https://github.com/JumpCloud/JumpServer/security/advisories/GHSA-9999-9999-9999)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.