CVE-2024-29024: JumpServer Direct Object Reference (IDOR) Vulnerability in File Manager Bulk Transfer Functionality
First published: Fri Mar 29 2024(Updated: )
JumpServer is an open source bastion host and an operation and maintenance security audit system. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability in the file manager's bulk transfer by manipulating job IDs to upload malicious files, potentially compromising the integrity and security of the system. This vulnerability is fixed in v3.10.6.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jumpserver | >=3.0.0<3.10.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-29024?
CVE-2024-29024 has a medium severity rating due to the potential for authenticated users to upload malicious files.
How do I fix CVE-2024-29024?
To fix CVE-2024-29024, update JumpServer to version 3.10.6 or higher.
Who is affected by CVE-2024-29024?
CVE-2024-29024 affects authenticated users of JumpServer versions between 3.0.0 and 3.10.6.
What type of vulnerability is CVE-2024-29024?
CVE-2024-29024 is classified as an Insecure Direct Object Reference (IDOR) vulnerability.
What kind of files can be uploaded due to CVE-2024-29024?
An attacker can upload malicious files to the system by exploiting the CVE-2024-29024 vulnerability.
- agent/weakness
- agent/title
- agent/references
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/fit2cloud
- canonical/jumpserver
- version/jumpserver/3.0.0