Headline
CVE-2023-43650: Non-MFA account takeover via brute-force attack on weak password reset code
JumpServer is an open source bastion host. The verification code for resetting user’s password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code, ranging from 000000 to 999999, to facilitate the password reset. Although the code is only available in 1 minute, this window potentially allows for up to 1,000,000 validation attempts. This issue has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Impact
The verification code for resetting user’s password is vulnerable to brute-force attacks due to the absence of rate limiting.
Details
JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code, ranging from 000000 to 999999, to facilitate the password reset. Although the code is only available in 1 minute, this window potentially allows for up to 1,000,000 validation attempts.
Patches
Safe versions:
- v2.28.20
- v3.7.1
Workarounds
It is recommended to upgrade the safe versions.
After the upgrade, entering the verification code can only be attempted 3 times, then the code will be expired.
References
Thanks for Oskar Zeino-Mahmalat of Sonar found and report this vulnerability