{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "3.10.21-lts" } ] }, "events": [ { "introduced": "0" }, { "fixed": "0af7e8b1e974094d4adea572aba0e7cd953e5cd3" } ], "repo": "https://github.com/jumpserver/jumpserver", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "4.0.0" }, { "fixed": "4.10.12-lts" } ] }, "events": [ { "introduced": "6e7c11d6c0d113a883500a8cbd4bff04863d98cd" }, { "fixed": "32aecb79c4bda93a26c8da9537ff756c02c2ed45" } ], "repo": "https://github.com/jumpserver/jumpserver", "type": "GIT" } ] } ], "aliases": [ "GHSA-7893-256g-m822" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-863" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62795.json" }, "details": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts.", "id": "CVE-2025-62795", "modified": "2026-03-13T21:47:20.189285603Z", "published": "2025-10-30T16:56:09.321Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62795.json" }, { "type": "ADVISORY", "url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62795" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "type": "CVSS_V3" } ], "summary": "JumpServer Unauthorized LDAP Configuration Access via WebSocket" }