CVE-2023-28110 – JumpServer Koko vulnerable to Command Injection for Kubernetes Connection

https://notcve.org/view.php?id=CVE-2023-28110

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8. • https://github.com/jumpserver/jumpserver/releases/tag/v2.28.8 https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6x5p-jm59-jh29 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •