CVE-2023-46123 MEDIUM

CVE-2023-46123: jumpserver is vulnerable to password brute-force protection bypass via arbitrary IP values

Vendor Jumpserver
Product jumpserver
Weakness CWE-307 · Brute force
Published October 25, 2023
Last update March 25, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

jumpserver is an open source bastion machine, professional operation and maintenance security audit system that complies with 4A specifications. A flaw in the Core API allows attackers to bypass password brute-force protections by spoofing arbitrary IP addresses. By exploiting this vulnerability, attackers can effectively make unlimited password attempts by altering their apparent IP address for each request. This vulnerability has been patched in version 3.8.0.

Key dates

02Disclosure timeline

October 25, 2023 CVE published
March 25, 2025 Record updated