CVE-2023-43651: 
vulnerability analysis and mitigation

JumpServer, an open source bastion host, was found to contain a critical vulnerability (CVE-2023-43651) that affects versions from 2.0.0 to 2.28.19 and 3.0.0 to 3.7.0. The vulnerability was discovered and reported by Oskar Zeino-Mahmalat of Sonar, and has been addressed in versions 2.28.20 and 3.7.1 (GitHub Advisory).

The vulnerability exists in the WEB CLI interface provided by the koko component, where an authenticated user can exploit MongoDB sessions to execute arbitrary commands. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and has received a CVSS v3.1 base score of 9.9 (Critical) from NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability allows authenticated users to execute arbitrary commands, leading to remote code execution (RCE). More critically, this vulnerability can be leveraged to gain root privileges on the host system, potentially compromising the entire system's security (GitHub Advisory).

The vulnerability has been patched in JumpServer versions 2.28.20 and 3.7.1. Users are strongly advised to upgrade to these safe versions. There are no known workarounds for this vulnerability other than upgrading to the patched versions (GitHub Advisory).