CVE-2023-42442: JumpServer Session Replay Download Bug Without Authentication

JumpServer is a popular open-source Bastion Host and professional operation and maintenance security audit system. However, a recently discovered vulnerability in JumpServer could allow attackers to download session replays without authentication.

For those unfamiliar with JumpServer, it’s the embodiment of innovation. Licensed under the GPLv3, JumpServer stands tall as a 4A-compliant professional operation and maintenance security audit system. Developed using Python and Django, this platform adheres to Web 2.0 specifications. Beyond its robust backend, JumpServer boasts an industry-leading Web Terminal solution, ensuring users are met with a visually appealing interface and an unparalleled experience.

The vulnerability, CVE-2023-42442, has a CVSS score of 8.2, which is considered to be high severity. It is caused by a broken permission control in the /api/v1/terminal/sessions/ endpoint. This allows any unauthenticated user to download session replays, which could contain sensitive information such as passwords, commands, and outputs. The vulnerability affects JumpServer versions 3.0.0 to 3.6.3. But there’s a silver lining – if your session replays are housed in S3, OSS, or any other cloud storage, they remain unaffected.

Delving deeper, the vulnerability exists due to a hiccup in the `/api/v1/terminal/sessions/` API’s permission control. It permits anonymous access, thanks to the `IsSessionAssignee` permission class which, being derived from `BasePermission`, defaults to an ‘allowed’ status. This oversight resulted in unauthorized access to session replays.

# https://github.com/jumpserver/jumpserver/blob/v3.6.1/apps/terminal/api/session/session.py#L91

...

class SessionViewSet(OrgBulkModelViewSet):

     permission_classes = [RBACPermission | IsSessionAssignee]   

...



# https://github.com/jumpserver/jumpserver/blob/v3.6.1/apps/terminal/permissions.py#L10

class IsSessionAssignee(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):

         ...



class BasePermission:

    def has_permission(self, request, view):

          return True

For the sake of responsible disclosure and to curb potential exploitation, intricate details surrounding this vulnerability have been momentarily withheld.

A session replay is a recording of a user’s activity on a computer system. Session replays are often used to troubleshoot problems or to monitor user activity.

If an attacker is able to exploit the CVE-2023-42442 vulnerability, they could download session replays that contain sensitive information such as passwords, commands, and outputs. This could allow the attacker to gain access to the affected system and take control of it.

The JumpServer team has been swift in addressing this issue. Safe versions, namely v3.6.4 and v3.5.5, have been rolled out. For users of affected versions, an immediate upgrade is fervently recommended.

Post-upgrade, users should direct their browsers to `$HOST/api/v1/terminal/sessions/?limit=1`. If the security patch has taken effect, an HTTP response code of 401 (not_authenticated) should be visible, confirming that the vulnerability has been resolved.