CVE-2024-29202

Source
https://cve.org/CVERecord?id=CVE-2024-29202
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-29202.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-29202
Aliases
  • GHSA-2vvr-vmvx-73ch
Published
2024-03-29T14:57:43.606Z
Modified
2026-03-14T12:33:09.411933Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
JumpServer vulnerable to Jinja2 template injection in Ansible leads to RCE in Celery
Details

JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.

Database specific
{
    "cwe_ids": [
        "CWE-94"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29202.json"
}
References

Affected packages

Git / github.com/jumpserver/jumpserver

Affected ranges

Type
GIT
Repo
https://github.com/jumpserver/jumpserver
Events

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-29202.json"