CVE-2023-43651 - OpenCVE

JumpServer is an open source bastion host. An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the system. Through the WEB CLI interface provided by the koko component, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands. This vulnerability has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fit2cloud	Jumpserver

Configuration 1 [-]

OR	cpe:2.3:a:fit2cloud:jumpserver::::::::
	cpe:2.3:a:fit2cloud:jumpserver::::::::

No data.

References

Link	Providers
https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-27T20:24:08.733Z

Updated: 2024-08-02T19:44:44.252Z

Reserved: 2023-09-20T15:35:38.147Z

Link: CVE-2023-43651

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-09-27T21:15:10.347

Modified: 2023-10-02T14:17:15.667

Link: CVE-2023-43651

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-43651", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-20T15:35:38.147Z", "datePublished": "2023-09-27T20:24:08.733Z", "dateUpdated": "2024-08-02T19:44:44.252Z"}, "containers": {"cna": {"title": "Remote code execution on the host system via MongoDB shell in jumpserver", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96"}], "affected": [{"vendor": "jumpserver", "product": "jumpserver", "versions": [{"version": ">= 2.0.0, < 2.28.20", "status": "affected"}, {"version": ">= 3.0.0, < 3.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-27T20:24:08.733Z"}, "descriptions": [{"lang": "en", "value": "JumpServer is an open source bastion host. An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the system. Through the WEB CLI interface provided by the koko component, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands. This vulnerability has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-4r5x-x283-wm96", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:44:44.252Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*", "matchCriteriaId": "AF95C421-E2B7-4251-8BAF-E83A5779A9F0", "versionEndExcluding": "2.28.20", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*", "matchCriteriaId": "4232B350-4257-43B9-A697-AFA6D8247B1E", "versionEndExcluding": "3.7.1", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "JumpServer is an open source bastion host. An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the system. Through the WEB CLI interface provided by the koko component, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands. This vulnerability has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "JumpServer es un host de bastionado de c\u00f3digo abierto. Un usuario autenticado puede aprovechar una vulnerabilidad en las sesiones de MongoDB para ejecutar comandos arbitrarios, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo. Esta vulnerabilidad puede aprovecharse a\u00fan m\u00e1s para obtener privilegios de root en el sistema. A trav\u00e9s de la interfaz WEB CLI proporcionada por el componente koko, un usuario inicia sesi\u00f3n en la base de datos mongoDB autorizada y explota la sesi\u00f3n de MongoDB para ejecutar comandos arbitrarios. Esta vulnerabilidad se ha solucionado en las versiones 2.28.20 y 3.7.1. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-43651", "lastModified": "2023-10-02T14:17:15.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-27T21:15:10.347", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}