CVE-2026-31864

import zipfile import io # 恶意ZIP包构造 malicious_content = '{{7*7}}' zip_buffer = io.BytesIO() with zipfile.ZipFile(zip_buffer, 'w') as zf: zf.writestr('manifest.yml', malicious_content) # 后续上传逻辑 print('PoC构造完成')

{"cve": {"id": "CVE-2026-31864", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:36.803", "lastModified": "2026-03-18T13:09:28.853", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. a Server-Side Template Injection (SSTI) vulnerability exists in JumpServer's Applet and VirtualApp upload functionality. This vulnerability can only be exploited by users with administrative privileges (Application Applet Management or Virtual Application Management permissions). Attackers can exploit this vulnerability to execute arbitrary code within the JumpServer Core container. The vulnerability arises from unsafe use of Jinja2 template rendering when processing user-uploaded YAML configuration files. When a user uploads an Applet or VirtualApp ZIP package, the manifest.yml file is rendered through Jinja2 without sandbox restrictions, allowing template injection attacks."}, {"lang": "es", "value": "JumpServer es un host bastión de código abierto y un sistema de auditoría de seguridad de operación y mantenimiento. Existe una vulnerabilidad de inyección de plantillas del lado del servidor (SSTI) en la funcionalidad de carga de Applet y VirtualApp de JumpServer. Esta vulnerabilidad solo puede ser explotada por usuarios con privilegios administrativos (permisos de Gestión de Applets de Aplicación o Gestión de Aplicaciones Virtuales). Los atacantes pueden explotar esta vulnerabilidad para ejecutar código arbitrario dentro del contenedor de JumpServer Core. La vulnerabilidad surge del uso inseguro del renderizado de plantillas Jinja2 al procesar archivos de configuración YAML cargados por el usuario. Cuando un usuario carga un paquete ZIP de Applet o VirtualApp, el archivo manifest.yml se renderiza a través de Jinja2 sin restricciones de sandbox, lo que permite ataques de inyección de plantillas."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.10.22", "matchCriteriaId": "CD655DF8-C263-4EC3-91F9-BB374C2C7ACD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.10.16", "matchCriteriaId": "0DA50E29-0D69-476A-A92C-2D48FF5E51B0"}]}]}], "references": [{"url": "https://github.com/jumpserver/jumpserver/pull/16608", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-qx8h-rx2j-j5wc", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}