Описание
Kottster app reinitialization can be re-triggered allowing command injection in development mode
Impact
Development mode only. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode.
The vulnerability combines two issues:
- The
initAppaction can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token - The
installPackagesForDataSourceaction uses unescaped command arguments, enabling command injection
An attacker with access to a locally running development instance can chain these vulnerabilities to:
- Reinitialize the application and receive a JWT token for a new root account
- Use this token to authenticate
- Execute arbitrary system commands through
installPackagesForDataSource
Production deployments were never affected.
Patches
Fixed in v3.3.2.
Specifically, @kottster/server v3.3.2 and @kottster/cli v3.3.2 address this vulnerability.
We recommend developers using earlier versions of @kottster/server and @kottster/cli update all the core packages to latest release:
Workarounds
- Do not expose development servers to public networks or untrusted users
- Use production mode for any deployment accessible from outside trusted environments
Credit
We sincerely thank Jeongwon Jo (@P0cas) from RedAlert for discovering and responsibly disclosing this vulnerability.
Пакеты
@kottster/server
>= 3.2.0, < 3.3.2
3.3.2
Связанные уязвимости
Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. This affects development mode only, production deployments were never affected. This issue has been fixed in version 3.3.2.