CVE-2023-43651 – github.com/jumpserver/koko

Package

Manager: go
Name: github.com/jumpserver/koko
Vulnerable Version: >=2.0.0 <2.28.20 || >=3.0.0 <3.7.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.13919 pctl0.94074

Details

Jumpserver Koko vulnerable to remote code execution on the host system via MongoDB shell ### Impact An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the host system. ### Details Through the WEB CLI interface provided by koko, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands. ``` admin> const { execSync } = require("child_process") admin> console.log(execSync("id; hostname;").toString()) uid=0(root) gid=0(root) groups=0(root) jms_koko admin> ``` ### Patches Safe versions: - v2.28.20 - v3.7.1 ### Workarounds It is recommended to upgrade the safe versions. After upgrade, you can use the same method to check whether the vulnerability is fixed. ``` admin> console.log(execSync("id; hostname;").toString()) /bin/sh: line 1: /bin/hostname: Permission denied ``` ### References Thanks for **Oskar Zeino-Mahmalat** of [Sonar](https://sonarsource.com/) found and report this vulnerability

Metadata

Created: 2023-10-24T19:47:50Z
Modified: 2023-10-24T19:47:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-4r5x-x283-wm96/GHSA-4r5x-x283-wm96.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-4r5x-x283-wm96
Finding: F422
Auto approve: 1