Cyber Resilience

CVE-2024-24763

Medium

Published: 20 February 2024

Published
20 February 2024
Modified
17 December 2024
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
EPSS Score 0.2526 96.3th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-24763 is a medium-severity Open Redirect (CWE-601) vulnerability in Fit2Cloud Jumpserver. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

JumpServer, an open source bastion host and operation and maintenance security audit system, contains an open redirect vulnerability (CWE-601) in versions prior to 3.10.0. The flaw permits construction of malicious links that can be presented to users, with a CVSS 3.1 score of 4.3 reflecting network attack vector, low complexity, no required privileges, and required user interaction that results in low availability impact without affecting confidentiality or integrity.

An unauthenticated attacker can supply crafted URLs that, once clicked by a victim, redirect the user to an arbitrary destination. This enables phishing campaigns or cross-site scripting attacks against JumpServer users who interact with the links.

The official GitHub security advisory GHSA-p2mq-cm25-g4m5 and the v3.10.0 release notes state that the patch is included in version 3.10.0 and that no workarounds are known.

The associated EPSS score has reached a peak of 0.3068 with a current value of 0.2526.

EU & UK References

Vulnerability details

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to version 3.10.0, attackers can exploit this vulnerability to construct malicious links, leading users to click on them, thereby facilitating phishing attacks or cross-site…

more

scripting attacks. Version 3.10.0 contains a patch for this issue. No known workarounds are available.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fit2cloud
jumpserver
≤ 3.10.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References