How severe is CVE-2023-42442?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2023-42442?

This is classified as CWE-287, which is a common weakness in software security.

CVE-2023-42442 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).

Related Vulnerabilities

CVE-2013-1596

MEDIUM

CVSS:5.3(Medium)

An Authentication Bypass Vulnerability exists in Vivotek PT7135 IP Camera 0300a and 0400a via specially crafted RTSP packets to TCP port 554.

CWE-2872013

CVE-2013-1600

MEDIUM

CVSS:5.3(Medium)

An Authentication Bypass vulnerability exists in upnp/asf-mp4.asf when streaming live video in D-Link TESCO DCS-2121 1.05_TESCO, TESCO DCS-2102 1.05_TESCO, DCS-2121 1.06_FR, 1.06, and 1.05_RU, DCS-210...

CWE-2872013

CVE-2016-2102

MEDIUM

CVSS:5.3(Medium)

HAProxy statistics in openstack-tripleo-image-elements are non-authenticated over the network.

CWE-2872016

CVE-2016-5133

MEDIUM

CVSS:5.3(Medium)

Google Chrome before 52.0.2743.82 mishandles origin information during proxy authentication, which allows man-in-the-middle attackers to spoof a proxy-authentication login prompt or trigger incorrect ...

CWE-2872016

CVE-2016-9646

MEDIUM

CVSS:5.3(Medium)

ikiwiki before 3.20161229 incorrectly called the CGI::FormBuilder->field method (similar to the CGI->param API that led to Bugzilla's CVE-2014-1572), which can be abused to lead to commit metadata for...

CWE-2872016

CVE-2017-15272

MEDIUM

CVSS:5.3(Medium)

The PSFTPd 10.0.4 Build 729 server stores its configuration inside PSFTPd.dat. This file is a Microsoft Access Database and can be extracted. The application sets the encrypt flag with the password "I...

CWE-2872017