How to Patch the Critical JumpServer Remote Execution Vulnerability

On January 15, 2021, the open‑source JumpServer bastion host disclosed a remote‑execution vulnerability that requires immediate remediation, especially for instances exposed to the public Internet.

Affected Versions

JumpServer < v2.6.2

JumpServer < v2.5.4

JumpServer < v2.4.5

Safe Versions

JumpServer >= v2.6.2

JumpServer >= v2.5.4

JumpServer >= v2.4.5

Recommended Fix

Upgrade JumpServer (both community and enterprise editions) to one of the safe versions.

Temporary Workaround

Modify the Nginx configuration to block the vulnerable API endpoints:

/api/v1/authentication/connection-token/
/api/v1/users/connection-token/

The Nginx configuration file locations are:

Community old version: /etc/nginx/conf.d/jumpserver.conf

Enterprise old version: jumpserver-release/nginx/http_server.conf

New versions: jumpserver-release/compose/config_static/http_server.conf

Example Nginx snippet (ensure the block appears before the generic /api/ location):

location /api/v1/authentication/connection-token/ {
    return 403;
}
location /api/v1/users/connection-token/ {
    return 403;
}
# additional rules above the generic /api/ block
location /api/ {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://core:8080;
}

After editing, restart the Nginx service to apply the changes.