CVE-2023-43651

Description

### Impact An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the host system. ### Details Through the WEB CLI interface provided by koko, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands. ``` admin> const { execSync } = require("child_process") admin> console.log(execSync("id; hostname;").toString()) uid=0(root) gid=0(root) groups=0(root) jms_koko admin> ``` ### Patches Safe versions: - v2.28.20 - v3.7.1 ### Workarounds It is recommended to upgrade the safe versions. After upgrade, you can use the same method to check whether the vulnerability is fixed. ``` admin> console.log(execSync("id; hostname;").toString()) /bin/sh: line 1: /bin/hostname: Permission denied ``` ### References Thanks for **Oskar Zeino-Mahmalat** of [Sonar](https://sonarsource.com/) found and report this vulnerability

How to fix CVE-2023-43651

To remediate CVE-2023-43651, upgrade the affected package to a fixed version below.

• —upgrade to 2.28.20 or later

Is CVE-2023-43651 being exploited?

Moderate — EPSS is 5.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• >= 2.0.0, < 2.28.20

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-43651
• PATCHgithub.com/jumpserver/koko
• WEBgithub.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96
• WEBgithub.com/jumpserver/koko/commit/7d80db95d17c8f42bdf50260dfc21dc2bd0452c2