CVE-2024-6376 - Code Injection Vulnerability in MongoDB Compass' EJSON Shell Parser

The MongoDB Compass is a popular and intuitive GUI and query builder for MongoDB, allowing developers to explore their schemas, run queries more efficiently, and manage their databases visually. In recent news, however, a security vulnerability (CVE-2024-6376) has been identified which could potentially lead to code injection attacks due to the insufficient sandbox protection settings when using the EJSON shell parser in connection handling.

Affected Versions

The affected versions of MongoDB Compass are those prior to version 1.42.2. To safeguard your environment, it is highly recommended that you update your installations of MongoDB Compass immediately.

Details

The vulnerability stems from insecure implementation and usage of ejson shell parser, which is responsible for parsing MongoDB connection URIs in Compass. Due to the insufficient sandbox protection settings, an attacker can exploit this vulnerability to inject arbitrary code into MongoDB Compass' runtime, potentially giving them access to sensitive data, executing commands on the backend, and causing other potential damages.

Proof-of-Concept

Allow me to demonstrate a proof-of-concept for this vulnerability.

`

mongodb://attacker:password@evil-db.com/test?authSource=admin&eval=console.log(%22You%20have%20been%20pwned!%22)//attacker

`

2. When this connection string is supplied to MongoDB Compass (versions prior to 1.42.2), the EJSON shell parser parses it and interprets the eval parameter, followed by executing the given JavaScript code.

3. As a result, the attacker's code console.log("You have been pwned!") is executed within the Compass' runtime, proving the potential for code injection attacks.

For more detailed information on this vulnerability, please refer to the following links

- MongoDB Compass Security Advisory: https://www.mongodb.com/security-advisory
- EJSON Shell parser repository: https://github.com/mongodb-js/ejson-shell-parser
- MongoDB Compass release notes (v1.42.2): https://github.com/mongodb-js/compass/releases/tag/v1.42.2

Exploit Details

To exploit this vulnerability, an attacker would need to craft a malicious MongoDB connection string and trick a Compass user into using the said connection string when connecting to a MongoDB instance. Although this may require some degree of social engineering, once successful, the potential impact is severe.

As a developer or administrator, you are advised to update your MongoDB Compass installations to version 1.42.2 or later, which includes a patch to resolve this code injection vulnerability.

In summary, the CVE-2024-6376 vulnerability in MongoDB Compass allows potential attackers to inject code via the EJSON shell parser with insufficient sandbox protection settings. Please ensure your installations are up-to-date, and stay vigilant when inputting connection strings into MongoDB Compass.

Timeline

Published on: 07/01/2024 15:15:17 UTC
Last modified on: 07/03/2024 15:04:52 UTC