CVE-2021-3169
📋 TL;DR
This vulnerability in Jumpserver allows attackers to create connection tokens through an unprotected API endpoint, which can then be used to access sensitive assets without proper authorization. It affects all Jumpserver deployments with vulnerable versions. Attackers can exploit this to gain unauthorized access to critical systems managed through Jumpserver.
💻 Affected Systems
- Jumpserver
📦 What is this software?
Jumpserver by Jumpserver
Jumpserver by Jumpserver
Jumpserver by Jumpserver
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all assets managed by Jumpserver, including servers, databases, and network devices, leading to data theft, ransomware deployment, or lateral movement across the entire infrastructure.
Likely Case
Unauthorized access to sensitive assets, credential theft, and potential privilege escalation within the Jumpserver-managed environment.
If Mitigated
Limited impact if proper network segmentation and access controls are in place, but still represents a significant authentication bypass vulnerability.
🎯 Exploit Status
The vulnerability is easily exploitable with publicly available information and requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.2, 2.5.4, or 2.4.5
Vendor Advisory: https://blog.fit2cloud.com/?p=1764
Restart Required: Yes
Instructions:
1. Backup your Jumpserver configuration and database. 2. Stop Jumpserver services. 3. Upgrade to version 2.6.2, 2.5.4, or 2.4.5 depending on your current version track. 4. Restart Jumpserver services. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Jumpserver API endpoints to only trusted IP addresses or networks.
iptables -A INPUT -p tcp --dport 8080 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
API Endpoint Blocking
allUse web application firewall or reverse proxy to block access to the vulnerable API endpoint.
# Configure WAF/nginx to block /api/v1/authentication/connection-token/
🧯 If You Can't Patch
- Isolate Jumpserver instance from internet and restrict internal access to only necessary users
- Implement strict network monitoring and alerting for suspicious API calls to connection token endpoints
🔍 How to Verify
Check if Vulnerable:
Check Jumpserver version via web interface or by examining the installation directory. Versions below 2.6.2, 2.5.4, or 2.4.5 are vulnerable.Check Version:
cat /opt/jumpserver/core/version.py | grep VERSIONVerify Fix Applied:
Verify version is 2.6.2, 2.5.4, or 2.4.5 or higher. Test that unauthorized API calls to connection token endpoints are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unauthorized API calls to /api/v1/authentication/connection-token/
- Multiple failed authentication attempts followed by successful connection token creation
- Unusual asset access patterns from new connection tokens
Network Indicators:
- HTTP POST requests to connection token API from untrusted sources
- Sudden increase in API traffic to authentication endpoints
SIEM Query:
source="jumpserver" AND (uri_path="/api/v1/authentication/connection-token/" OR message="connection token")