CVE-2023-43651: Remote code execution on the host system via MongoDB shell in jumpserver
First published: Wed Sep 27 2023(Updated: )
### Impact An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the host system. ### Details Through the WEB CLI interface provided by koko, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands. ``` admin> const { execSync } = require("child_process") admin> console.log(execSync("id; hostname;").toString()) uid=0(root) gid=0(root) groups=0(root) jms_koko admin> ``` ### Patches Safe versions: - v2.28.20 - v3.7.1 ### Workarounds It is recommended to upgrade the safe versions. After upgrade, you can use the same method to check whether the vulnerability is fixed. ``` admin> console.log(execSync("id; hostname;").toString()) /bin/sh: line 1: /bin/hostname: Permission denied ``` ### References Thanks for **Oskar Zeino-Mahmalat** of [Sonar](https://sonarsource.com/) found and report this vulnerability
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fit2cloud Jumpserver | >=2.0.0<2.28.20 | |
| Fit2cloud Jumpserver | >=3.0.0<3.7.1 | |
| go/github.com/jumpserver/koko | >=3.0.0<3.7.1 | 3.7.1 |
| go/github.com/jumpserver/koko | >=2.0.0<2.28.20 | 2.28.20 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96
- https://nvd.nist.gov/vuln/detail/CVE-2023-43651
- https://github.com/jumpserver/koko/commit/7d80db95d17c8f42bdf50260dfc21dc2bd0452c2
- https://github.com/jumpserver/koko/commit/857f8b9e41f0930dc6190a35d8601fffa5e884e7
- https://github.com/advisories/GHSA-4r5x-x283-wm96 (Advisory)
Frequently Asked Questions
What is CVE-2023-43651?
CVE-2023-43651 is a vulnerability in the MongoDB sessions of JumpServer that allows an authenticated user to execute arbitrary commands and potentially gain root privileges on the system.
What is the severity of CVE-2023-43651?
CVE-2023-43651 has a severity rating of 9.9 (Critical).
How does CVE-2023-43651 affect Fit2cloud JumpServer?
CVE-2023-43651 affects Fit2cloud JumpServer versions from 2.0.0 to 2.28.20 and versions from 3.0.0 to 3.7.1.
How can an authenticated user exploit CVE-2023-43651?
An authenticated user can exploit CVE-2023-43651 through the WEB CLI interface provided by JumpServer, allowing them to execute arbitrary commands and potentially gain root privileges.
Is there a fix available for CVE-2023-43651?
Yes, it is recommended to update Fit2cloud JumpServer to a version that is not affected by CVE-2023-43651 or apply the necessary patches provided by the vendor.
- collector/nvd-api
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-4r5x-x283-wm96
- alias/CVE-2023-43651
- collector/github-advisory
- collector/nvd-cve
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/severity
- agent/references
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- agent/trending
- vendor/fit2cloud
- canonical/fit2cloud jumpserver
- version/fit2cloud jumpserver/2.0.0
- version/fit2cloud jumpserver/3.0.0
- package-manager/go