CVE-2024-29202
Published: 29 March 2024
Summary
CVE-2024-29202 is a critical-severity Code Injection (CWE-94) vulnerability in Fit2Cloud Jumpserver. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
JumpServer, an open source bastion host and operations security audit platform, contains a Jinja2 template injection flaw in its Ansible integration that permits arbitrary code execution inside the Celery container. The vulnerability is tracked as CVE-2024-29202, carries a CVSS 3.1 score of 9.9, and is classified under CWE-94; it was addressed in version 3.10.7.
An authenticated attacker with low privileges can supply a malicious template that runs with root privileges and full database access inside the Celery container, enabling theft of credentials and sensitive data from all managed hosts or direct manipulation of the JumpServer database.
The official GitHub Security Advisory GHSA-2vvr-vmvx-73ch and the accompanying SonarSource analysis both state that upgrading to JumpServer 3.10.7 or later eliminates the template-injection vector; administrators are advised to apply the update promptly and to restrict Ansible template privileges where possible.
The EPSS score has reached a peak of 0.8368 with a current value of 0.7998, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26220
Vulnerability details
JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with…
more
root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.