Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
JumpServer Koko vulnerable to Command Injection for Kubernetes Connection
Vulnerability Description
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H
Vulnerability Type
在命令中使用的特殊元素转义处理不恰当(命令注入)
Vulnerability Title
Jumpserver 命令注入漏洞
Vulnerability Description
Jumpserver是中国杭州飞致云信息科技有限公司的一款开源堡垒机。 Jumpserver 2.28.8之前版本存在命令注入漏洞。攻击者利用该漏洞使用非法token通过Koko连接Kubernetes集群,导致执行危险命令,扰乱Koko容器环境,影响正常使用。
CVSS Information
N/A
Vulnerability Type
N/A