Описание
Remote Code Execution Vulnerability in NPM mongo-express
Impact
Remote code execution on the host machine by any authenticated user.
Proof Of Concept
Launching mongo-express on a Mac, pasting the following into the "create index" field will pop open the Mac calculator:
Patches
Users should upgrade to version 0.54.0
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
For more information
If you have any questions or comments about this advisory:
- Open an issue in example link to repo
- Email us at example email address
Thanks
@JLLeitschuh for finding and reporting this vulnerability
This vulnerability has been exploited in the wild.
Ссылки
- https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq
- https://nvd.nist.gov/vuln/detail/CVE-2019-10758
- https://github.com/mongo-express/mongo-express/pull/522
- https://github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494
- https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2
- https://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60
- https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758
Пакеты
mongo-express
< 0.54.0
0.54.0
Связанные уязвимости
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
Уязвимость веб-интерфейса Mongo-express системы управления базами данных MongoDB, позволяющая нарушителю выполнить произвольный код в целевой системе посредством отправки специально сформированного запроса