Impact
Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database.
Details
An attacker with a low-privilege user account is capable of exploiting a vulnerability to execute arbitrary code within the Celery container. The vulnerability can be reproduced via the following steps:
- The attacker constructs a malicious playbook template within the "Job > Template" section of the Workbench, like the following YAML code:
- name: |
{% for x in ().__class__.__base__.__subclasses__() %}
{% if "warning" in x.__name__ %}
{{
x()._module.__builtins__["__import__"]("os").system("id > /tmp/pwnd")
}}
{%endif%}
{%endfor%}
-
The attacker creates a job by running the malicious playbook template within the "Job > Job list" section of the Workbench.
-
The attacker successfully creates the file /tmp/pwnd in the Celery container.
Patches
Safe versions: >= v3.10.7
Workarounds
Temporary repair, System setting (系统设置) - Feature(功能设置) - Job Center(任务中心) Disable (关闭)
It is recommended to upgrade the safe versions.
After the upgrade, the attacker would be unable to execute arbitrary code within the Celery container.
References
Impact
Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database.
Details
An attacker with a low-privilege user account is capable of exploiting a vulnerability to execute arbitrary code within the Celery container. The vulnerability can be reproduced via the following steps:
The attacker creates a job by running the malicious playbook template within the "Job > Job list" section of the Workbench.
The attacker successfully creates the file
/tmp/pwndin the Celery container.Patches
Safe versions: >= v3.10.7
Workarounds
Temporary repair, System setting (系统设置) - Feature(功能设置) - Job Center(任务中心) Disable (关闭)
It is recommended to upgrade the safe versions.
After the upgrade, the attacker would be unable to execute arbitrary code within the Celery container.
References