Impact

Attackers can bypass the input validation mechanism in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database.

Details

The vulnerability arises from bypassing input validation in the Ansible module of JumpServer. An attacker with a low-privilege user account is capable of exploiting a vulnerability to execute arbitrary code within the Celery container. It can be reproduced via the following steps:

• The attacker constructs a malicious playbook template within the "Job > Template" section of the Workbench, like the following YAML code:

[{
     "name": "RCE playbook",
     "hosts": "all",
     "tasks": [
       {
         "name": "this runs in Celery container",
         "shell": "id > /tmp/pwnd",
         "\u0064elegate_to": "localhost"
} ],
     "vars": {
     "ansible_\u0063onnection": "local"
     }
}]

• The attacker creates a job with this playbook and adds at least one asset to run the job.
• The attacker successfully creates the file /tmp/pwnd in the Celery container.

Patches

Safe versions: >= v3.10.7

Workarounds

Temporary repair, System setting (系统设置) - Feature（功能设置） - Job Center（任务中心) Disable （关闭）

It is recommended to upgrade the safe versions.
After the upgrade, the attacker would be unable to execute arbitrary code within the Celery container.