CVE-2024-24763
Published: 20 February 2024
Summary
CVE-2024-24763 is a medium-severity Open Redirect (CWE-601) vulnerability in Fit2Cloud Jumpserver. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
JumpServer, an open source bastion host and operation and maintenance security audit system, contains an open redirect vulnerability (CWE-601) in versions prior to 3.10.0. The flaw permits construction of malicious links that can be presented to users, with a CVSS 3.1 score of 4.3 reflecting network attack vector, low complexity, no required privileges, and required user interaction that results in low availability impact without affecting confidentiality or integrity.
An unauthenticated attacker can supply crafted URLs that, once clicked by a victim, redirect the user to an arbitrary destination. This enables phishing campaigns or cross-site scripting attacks against JumpServer users who interact with the links.
The official GitHub security advisory GHSA-p2mq-cm25-g4m5 and the v3.10.0 release notes state that the patch is included in version 3.10.0 and that no workarounds are known.
The associated EPSS score has reached a peak of 0.3068 with a current value of 0.2526.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22152
Vulnerability details
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to version 3.10.0, attackers can exploit this vulnerability to construct malicious links, leading users to click on them, thereby facilitating phishing attacks or cross-site…
more
scripting attacks. Version 3.10.0 contains a patch for this issue. No known workarounds are available.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.