Summary
MongoDB is prone to a remote code execution vulnerability because it fails to properly sanitize user-supplied input.
Impact
An attacker can exploit this vulnerability to execute arbitrary code within the context of the affected application.
Solution
Update your software up to the latest version or disable the REST interface.
Insight
If an attacker manages to call the REST interface that is running on port 28017 by default, the attacker could execute SSJS code.
Affected
MongoDB 2.x is vulnerable.
Detection
Send a special crafted HTTP GET request and check the response.
References
Severity
Classification
-
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Adobe ColdFusion Directory Traversal Vulnerability
- ArticleSetup Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
- ATutor password reminder SQL injection
- AlstraSoft AskMe Pro 'forum_answer.php' and 'profile.php' Multiple SQL Injection Vulnerabilities
- AlienVault OSSIM 'date_from' Parameter Multiple SQL Injection Vulnerabilities