CVE-2024-40628 – This critical vulnerability in JumpServer allow... (How to Fix)

Q: What is the severity of CVE-2024-40628?

CVE-2024-40628 has a CVSS score of 10.0 (CRITICAL). This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery container, which runs with root privileges and database access. Exploitation can lead to complete compromise of the JumpServer instance, including stealing all host secrets and creating admin accounts. All organizations running vulnerable versions of JumpServer are affected.

📋 TL;DR

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery container, which runs with root privileges and database access. Exploitation can lead to complete compromise of the JumpServer instance, including stealing all host secrets and creating admin accounts. All organizations running vulnerable versions of JumpServer are affected.

💻 Affected Systems

Products:

JumpServer

Versions: All versions before 3.10.12 and 4.0.0

Operating Systems: All platforms running JumpServer

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the vulnerable versions are affected regardless of configuration.

📦 What is this software?

Jumpserver by Fit2cloud

View all CVEs affecting Jumpserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the JumpServer instance, allowing attackers to steal all credentials, create persistent admin accounts, manipulate the database, and pivot to internal network resources.

🟠

Likely Case

Sensitive information disclosure including database credentials, host secrets, and SSH keys, followed by privilege escalation and lateral movement within the network.

🟢

If Mitigated

Limited impact if JumpServer is isolated in a segmented network with strict access controls, though the container compromise remains severe.

🌐 Internet-Facing: HIGH - JumpServer is often exposed to the internet for remote access, making it a prime target for exploitation.

🏢 Internal Only: HIGH - Even internally deployed instances are at risk from insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the JumpServer interface but detailed technical analysis is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.10.12 or 4.0.0

Vendor Advisory: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9

Restart Required: Yes

Instructions:

1. Backup your JumpServer configuration and database. 2. Stop the JumpServer service. 3. Update to version 3.10.12 or 4.0.0 following official upgrade documentation. 4. Restart the service and verify functionality.

🧯 If You Can't Patch

Isolate JumpServer instance from other critical systems using network segmentation.
Implement strict access controls and monitor all JumpServer access for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check JumpServer version via web interface admin panel or by examining the container/packages.

Check Version:

docker exec jumpserver python -c "import jumpserver; print(jumpserver.__version__)" or check web interface

Verify Fix Applied:

Confirm version is 3.10.12 or higher (for v3) or 4.0.0 or higher (for v4) and test ansible playbook functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual ansible playbook executions
Unexpected file read operations in Celery logs
Database access from unexpected sources

Network Indicators:

Anomalous outbound connections from JumpServer container
Unexpected database queries

SIEM Query:

source="jumpserver" AND (ansible OR celery) AND (file_read OR unauthorized_access)

📊 Metadata

CVE ID: CVE-2024-40628

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-22

Published: July 18, 2024

Last Updated: March 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40628, you might also want to check these: