How severe is CVE-2023-46138?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2023-46138?

This is classified as CWE-640, which is a common weakness in software security.

CVE-2023-46138 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is `admin[@]mycompany[.]com`, and users reset their passwords by sending an email. Currently, the domain `mycompany.com` has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to `example.com`. Those who cannot upgrade may change the default email domain to `example.com` manually.

Related Vulnerabilities

CVE-2017-8385

MEDIUM

CVSS:5.3(Medium)

Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.

CWE-6402017

CVE-2018-10210

MEDIUM

CVSS:5.3(Medium)

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. Enumeration of users is possible through the password-reset feature.

CWE-6402018

CVE-2019-14955

MEDIUM

CVSS:5.3(Medium)

In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.

CWE-6402019

CVE-2020-14016

MEDIUM

CVSS:5.3(Medium)

An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password feature allows users to reset their passwords by using either their username or the email address associated with their account. ...

CWE-6402020

CVE-2021-36436

MEDIUM

CVSS:5.3(Medium)

An issue in Mobicint Backend for Credit Unions v3 allows attackers to retrieve partial email addresses and user entered information via submission to the forgotten-password endpoint.

CWE-6402021

CVE-2022-34530

MEDIUM

CVSS:5.3(Medium)

An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on usernames.

CWE-6402022