Home > Vulnerability Database > CVE-2023-43650

Mend.io Vulnerability Database

CVE-2023-43650

Good to know:

Date: September 27, 2023

JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code, ranging from 000000 to 999999, to facilitate the password reset. Although the code is only available in 1 minute, this window potentially allows for up to 1,000,000 validation attempts. This issue has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Python

Severity Score

8.2

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-43650

Url: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-mwx4-8fwc-2xvw

Url: https://www.mend.io/vulnerability-database/CVE-2023-43650

Severity Score

8.2

Weakness Type (CWE)

Weak Password Recovery Mechanism for Forgotten Password

CWE-640

Top Fix

Upgrade Version

Upgrade to version v2.28.20,v3.7.1

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-43650

Good to know:

Date: September 27, 2023

Language: Python

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?