Platform
python
Component
jumpserver/jumpserver
Fixed in
3.0.1
CVE-2024-40629 is a critical Remote Code Execution (RCE) vulnerability discovered in JumpServer, an open-source Privileged Access Management (PAM) tool. This vulnerability allows an attacker to exploit an Ansible playbook to write arbitrary files, leading to complete system compromise. The vulnerability affects versions 3.0.0 through 3.10.11, and a patch is available in version 3.10.12.
The impact of CVE-2024-40629 is severe. Successful exploitation allows an attacker to execute arbitrary code within the Celery container, which runs as root and has full access to the JumpServer database. This grants the attacker the ability to steal all stored secrets for managed hosts, create new JumpServer accounts with administrative privileges, and manipulate the database to gain persistent access. The blast radius extends to all systems managed by JumpServer, making it a high-priority risk. This vulnerability shares similarities with other Ansible-related privilege escalation exploits where misconfigured playbooks can be leveraged for unauthorized access and control.
CVE-2024-40629 was publicly disclosed on July 18, 2024. The vulnerability's criticality (CVSS score of 10) and the potential for widespread impact suggest a high probability of exploitation. While no public exploits have been confirmed at the time of writing, the ease of exploitation and the sensitivity of the data at risk make it a likely target for attackers. It is not currently listed on CISA KEV, but its severity warrants close monitoring.
Exploit Status
EPSS
9.36% (93% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-40629 is to immediately upgrade JumpServer to version 3.10.12 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the Ansible playbook directory and carefully review the playbook's contents for any potential vulnerabilities. Implement strict file access controls within the Celery container to prevent unauthorized file writes. Monitor Celery container logs for suspicious activity, particularly any attempts to write files outside of expected locations. After upgrading, confirm the fix by attempting to trigger the vulnerable Ansible playbook and verifying that it is no longer exploitable.
Update JumpServer to version 3.10.12 or higher, or to version 4.0.0 or higher. This corrects the arbitrary file write vulnerability that could allow remote code execution. No workarounds are known.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-40629 is a critical Remote Code Execution vulnerability in JumpServer versions 3.0.0 through 3.10.11, allowing attackers to execute arbitrary code via an Ansible playbook.
You are affected if you are running JumpServer versions 3.0.0 through 3.10.11. Upgrade to version 3.10.12 or later to mitigate the risk.
Upgrade JumpServer to version 3.10.12 or later. As a temporary workaround, restrict access to the Ansible playbook directory and implement strict file access controls.
While no confirmed exploitation has been publicly reported, the vulnerability's severity and ease of exploitation suggest a high probability of future attacks.
Refer to the official JumpServer security advisory on their website or GitHub repository for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.