CVE-2023-42442

HIGH NUCLEI

JumpServer 3.0.0-3.5.4 - Unauthenticated Session Replay Download via Terminal Sessions API

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2023-42442. PoCs published by tarihub, HolyGu, C1ph3rX13. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit tool for multiple JumpServer vulnerabilities, including CVE-2023-42442 (unauthorized download of operation videos) and CVE-2023-42820 (unauthorized password reset). The tool includes detailed implementation for bypassing CAPTCHA and executing attacks.

Description

JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).

Exploits (3)

nomisec WORKING POC 270 stars
by tarihub · poc
https://github.com/tarihub/blackjump

This repository contains a functional exploit tool for multiple JumpServer vulnerabilities, including CVE-2023-42442 (unauthorized download of operation videos) and CVE-2023-42820 (unauthorized password reset). The tool includes detailed implementation for bypassing CAPTCHA and executing attacks.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: JumpServer
No auth needed
Prerequisites: Target URL · Optional: username and email for password reset
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 40 stars
by HolyGu · poc
https://github.com/HolyGu/CVE-2023-42442

This Go script exploits CVE-2023-42442, an unauthorized access vulnerability in JumpServer, by fetching session data and replay files via path traversal. It retrieves session details, downloads replay files, and packages them into a tar archive.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: JumpServer (version not specified)
No auth needed
Prerequisites: Network access to the target JumpServer instance · Exposed API endpoint at /api/v1/terminal/sessions/
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 9 stars
by C1ph3rX13 · poc
https://github.com/C1ph3rX13/CVE-2023-42442

This repository contains a functional exploit for CVE-2023-42442, which targets an information disclosure vulnerability in a terminal session management system. The exploit retrieves session replay files and metadata by leveraging improper access controls in the API endpoints.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Unknown terminal session management system (likely a web-based terminal or bastion host)
No auth needed
Prerequisites: Network access to the target system · API endpoint exposed at /api/v1/terminal/sessions/
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

JumpServer > 3.6.4 - Information Disclosure
MEDIUMVERIFIEDby xianke
FOFA: title="JumpServer" || title="jumpserver"

References (3)

Core 3

Scores

CVSS v3 8.2
EPSS 0.5586
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-287
Status published
Products (1)
fit2cloud/jumpserver 3.0.0 - 3.5.5
Published Sep 15, 2023
Tracked Since Feb 18, 2026