JumpServer Users Beware: Password Reset Code Vulnerable to Brute Force Attacks

CVSScvssV3_1: 8.2

JumpServer is an open source bastion host tool that provides remote access management. It was found to have a vulnerability in its password reset feature that could allow attackers to brute force the verification code used to reset passwords.

When a user forgets their password, JumpServer sends a 6-digit code to the registered email that needs to be entered on the reset password page. Although this code expires after a minute, this short window still allows attackers to try all possible combinations (1,000,000 attempts) using an automated script. This could enable them to easily guess the code and hijack other users’ accounts.

Brute force attacks work by systematically checking all possible passwords or codes until the correct one is found. They are made possible due to lack of restrictions like account locking after a number of failed attempts.

JumpServer has released updates to versions 2.28.20 and 3.7.1 that address this issue by adding rate limiting to prevent abuse of the password reset feature.

All JumpServer users are advised to immediately update to the latest versions to protect their accounts from potential brute force attacks. It is also recommended to use strong and unique passwords for all internet-facing services. Regular password changes and enabling Two-Factor Authentication wherever available adds extra security.