6.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-43651

GHSA ID

GHSA-4r5x-x283-wm96

EPSS Score

0.94%

CWE

CWE-94

Published

10/24/2023

Updated

11/11/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-43651

CVE-2023-43651: Jumpserver Koko vulnerable to remote code execution on the host system via MongoDB shell

Impact

An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the host system.

Details

Through the WEB CLI interface provided by koko, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands.

admin> const { execSync } = require("child_process")
admin> console.log(execSync("id; hostname;").toString())
uid=0(root) gid=0(root) groups=0(root)
jms_koko
admin>

Patches

Safe versions:

v2.28.20
v3.7.1

Workarounds

It is recommended to upgrade the safe versions.

After upgrade, you can use the same method to check whether the vulnerability is fixed.

admin> console.log(execSync("id; hostname;").toString())
/bin/sh: line 1: /bin/hostname: Permission denied

References

Thanks for Oskar Zeino-Mahmalat of Sonar found and report this vulnerability

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-43651

CVE-2023-43651:

6.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-43651

GHSA ID

GHSA-4r5x-x283-wm96

EPSS Score

0.94%

CWE

CWE-94

Published

10/24/2023

Updated

11/11/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/jumpserver/koko	go	>= 2.0.0, < 2.28.20	2.28.20
github.com/jumpserver/koko	go	>= 3.0.0, < 3.7.1	3.7.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from database client connectors (MongoDB/PostgreSQL/Redis/SQL Server) executing CLI tools with excessive privileges. The patch adds BuildNobodyWithOpts to run these clients with reduced 'nobody' user permissions. The original implementations in conn_*.go files called localcommand.New without user context restrictions, allowing authenticated users to leverage database shells' native command execution capabilities (e.g., MongoDB's execSync) with host system root privileges. The entrypoint.sh permission changes and addition of conn_nobody.go confirm the privilege escalation vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-43651: Jumpserver Koko vulnerable to remote code execution on the host system via MongoDB shell

Impact

Details

Patches

Workarounds

References

CVE-2023-43651:

6.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.4

6.4

Basic Information

Basic Information

CVE-2023-43651: Jumpserver Koko vulnerable to remote code execution on the host system via MongoDB shell

Impact

Details

Patches

Workarounds

References

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI