Login Sign Up

CVE-2023-43651

8.5 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated users of JumpServer to exploit MongoDB sessions through the WEB CLI interface to execute arbitrary commands, leading to remote code execution. Attackers can potentially gain root privileges on the system. All users running vulnerable versions of JumpServer are affected.

💻 Affected Systems

Products:
  • JumpServer
Versions: All versions before 2.28.20 and 3.7.1
Operating Systems: All platforms running JumpServer
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to JumpServer with MongoDB database authorization through the koko component's WEB CLI interface.

📦 What is this software?

Jumpserver by Fit2cloud

View all CVEs affecting Jumpserver →

Jumpserver by Fit2cloud

View all CVEs affecting Jumpserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root access, allowing attackers to pivot to internal networks, steal sensitive data, and deploy persistent backdoors.

🟠

Likely Case

Unauthorized remote code execution on the JumpServer host, enabling credential theft, lateral movement, and data exfiltration.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege access controls are implemented, though the JumpServer host remains compromised.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once access is obtained. Technical details and proof-of-concept are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.28.20 or 3.7.1

Vendor Advisory: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96

Restart Required: Yes

Instructions:

1. Backup your JumpServer configuration and data. 2. Stop the JumpServer service. 3. Update to version 2.28.20 (for v2.x) or 3.7.1 (for v3.x) using your package manager or installation method. 4. Restart the JumpServer service. 5. Verify the update was successful.

🧯 If You Can't Patch

  • Restrict access to JumpServer's WEB CLI interface to only trusted users and networks.
  • Implement strict network segmentation to isolate JumpServer from critical systems.

🔍 How to Verify

Check if Vulnerable:

Check your JumpServer version. If it's below 2.28.20 (for v2.x) or 3.7.1 (for v3.x), you are vulnerable.

Check Version:

jumpserver --version or check the web interface admin panel for version information.

Verify Fix Applied:

After updating, verify the version is 2.28.20 or higher (for v2.x) or 3.7.1 or higher (for v3.x).

📡 Detection & Monitoring

Log Indicators:

  • Unusual MongoDB session activity through WEB CLI
  • Suspicious command execution patterns in JumpServer logs
  • Authentication logs showing unexpected user access to MongoDB resources

Network Indicators:

  • Unexpected outbound connections from JumpServer host
  • Anomalous traffic patterns to/from JumpServer's MongoDB port

SIEM Query:

source="jumpserver" AND (event="command_execution" OR event="mongodb_session") | stats count by user, command

📊 Metadata

CVE ID: CVE-2023-43651
CVSS v3 Score: 8.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-94
Published: September 27, 2023
Last Updated: March 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-43651, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)