CVE-2024-29202
📋 TL;DR
This CVE describes a Jinja2 template injection vulnerability in JumpServer's Ansible component that allows authenticated attackers to execute arbitrary code with root privileges in the Celery container. Since the Celery container has database access, attackers could steal sensitive information from all managed hosts or manipulate the database. Organizations running vulnerable versions of JumpServer are affected.
💻 Affected Systems
- JumpServer
📦 What is this software?
Jumpserver by Fit2cloud
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the JumpServer instance leading to credential theft from all managed systems, database manipulation, and lateral movement throughout the entire infrastructure.
Likely Case
Attackers gain root access to the Celery container, exfiltrate database credentials and sensitive operational data, and potentially pivot to other systems.
If Mitigated
Limited impact due to network segmentation, strong authentication requirements, and monitoring that detects anomalous activity.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once access is obtained. Public technical details and proof-of-concept code are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.10.7
Vendor Advisory: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch
Restart Required: Yes
Instructions:
1. Backup your JumpServer configuration and database. 2. Stop all JumpServer services. 3. Update to v3.10.7 using your deployment method (Docker, source, or package). 4. Restart all JumpServer services. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Access to JumpServer
allLimit network access to JumpServer to only trusted IP addresses and require multi-factor authentication for all users.
Monitor for Anomalous Activity
allImplement enhanced logging and monitoring for suspicious Ansible task executions and Celery container activities.
🧯 If You Can't Patch
- Isolate JumpServer instance from critical systems using network segmentation and firewall rules.
- Implement strict access controls, audit all user accounts, and enable comprehensive logging with real-time alerting.
🔍 How to Verify
Check if Vulnerable:
Check your JumpServer version. If it's below v3.10.7, you are vulnerable.Check Version:
docker exec jumpserver_core python -c "import jumpserver; print(jumpserver.__version__)" or check the web interface admin panel.Verify Fix Applied:
After updating, verify the version is v3.10.7 or higher and test that Ansible functionality works normally without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual Jinja2 template executions in Ansible logs
- Suspicious commands executed in Celery container logs
- Unexpected database queries from Celery processes
Network Indicators:
- Anomalous outbound connections from JumpServer to external systems
- Unexpected database traffic patterns
SIEM Query:
source="jumpserver" AND ("jinja2" OR "ansible" OR "celery") AND ("injection" OR "exec" OR "suspicious")