CVE-2023-46138 LOW

CVE-2023-46138: JumpServer default admin user email leak password reset

Vendor Jumpserver

Product jumpserver

Weakness CWE-640 · Weak password recovery

Published October 30, 2023

Last update September 5, 2024

View on NVD All CVEs

CVSS base score

3.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is `admin[@]mycompany[.]com`, and users reset their passwords by sending an email. Currently, the domain `mycompany.com` has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to `example.com`. Those who cannot upgrade may change the default email domain to `example.com` manually.

Key dates

02Disclosure timeline

October 30, 2023 CVE published

September 5, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-46138

Related vulnerabilities

CVE-2023-46138: JumpServer default admin user email leak password reset

01Description

02Disclosure timeline

03References

04Related CVE