Platform
python
Component
jumpserver/jumpserver
Opgelost in
3.0.1
CVE-2024-40629 is a critical Remote Code Execution (RCE) vulnerability discovered in JumpServer, an open-source Privileged Access Management (PAM) tool. This vulnerability allows an attacker to exploit an Ansible playbook to write arbitrary files, leading to complete system compromise. The vulnerability affects versions 3.0.0 through 3.10.11, and a patch is available in version 3.10.12.
The impact of CVE-2024-40629 is severe. Successful exploitation allows an attacker to execute arbitrary code within the Celery container, which runs as root and has full access to the JumpServer database. This grants the attacker the ability to steal all stored secrets for managed hosts, create new JumpServer accounts with administrative privileges, and manipulate the database to gain persistent access. The blast radius extends to all systems managed by JumpServer, making it a high-priority risk. This vulnerability shares similarities with other Ansible-related privilege escalation exploits where misconfigured playbooks can be leveraged for unauthorized access and control.
CVE-2024-40629 was publicly disclosed on July 18, 2024. The vulnerability's criticality (CVSS score of 10) and the potential for widespread impact suggest a high probability of exploitation. While no public exploits have been confirmed at the time of writing, the ease of exploitation and the sensitivity of the data at risk make it a likely target for attackers. It is not currently listed on CISA KEV, but its severity warrants close monitoring.
Organizations heavily reliant on JumpServer for privileged access management are particularly at risk. This includes DevOps teams, IT administrators, and any environment where sensitive credentials are stored and managed within JumpServer. Environments utilizing older JumpServer versions (3.0.0 - 3.10.11) are directly vulnerable and require immediate attention.
• linux / server:
journalctl -u celery -f | grep -i "arbitrary file write"• linux / server:
lsof -p celery | grep -i "/path/to/ansible/playbook"• generic web:
curl -I http://<jumpserver_ip>/ansible/playbook/ # Check for directory listing or exposed playbookdisclosure
Exploit Status
EPSS
9.36% (93% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-40629 is to immediately upgrade JumpServer to version 3.10.12 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the Ansible playbook directory and carefully review the playbook's contents for any potential vulnerabilities. Implement strict file access controls within the Celery container to prevent unauthorized file writes. Monitor Celery container logs for suspicious activity, particularly any attempts to write files outside of expected locations. After upgrading, confirm the fix by attempting to trigger the vulnerable Ansible playbook and verifying that it is no longer exploitable.
Actualiseer JumpServer naar versie 3.10.12 of hoger, of naar versie 4.0.0 of hoger. Dit corrigeert de kwetsbaarheid van willekeurige bestandsschrijf die remote code execution mogelijk zou kunnen maken. Er zijn geen bekende alternatieven.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-40629 is a critical Remote Code Execution vulnerability in JumpServer versions 3.0.0 through 3.10.11, allowing attackers to execute arbitrary code via an Ansible playbook.
You are affected if you are running JumpServer versions 3.0.0 through 3.10.11. Upgrade to version 3.10.12 or later to mitigate the risk.
Upgrade JumpServer to version 3.10.12 or later. As a temporary workaround, restrict access to the Ansible playbook directory and implement strict file access controls.
While no confirmed exploitation has been publicly reported, the vulnerability's severity and ease of exploitation suggest a high probability of future attacks.
Refer to the official JumpServer security advisory on their website or GitHub repository for detailed information and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.