CVE-2023-42818

描述

SSH public key login without private key challenge if mfa is enabled in jumpserver in github.com/jumpserver/koko in github.com/jumpserver/jumpserver

如何修補 CVE-2023-42818

要修補 CVE-2023-42818,請將受影響套件升級到下列已修補版本。

• Go/github.com/jumpserver/jumpserver—升級至 3.5.6+incompatible 或更新版本
• Go/github.com/jumpserver/koko—未列出修補版本

CVE-2023-42818 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(2)

• from 0, < 3.5.6+incompatible, >= 3.6.0+incompatible, < 3.6.5+incompatible
• from 0

參考連結(3)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-42818
• WEBgithub.com/jumpserver/jumpserver/security/advisories/GHSA-jv3c-27cv-w8jv
• WEBwww.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2