MongoDB Embedded Web Server RCE Vulnerability (CVE-2023-1400) and Mitigation

Vulnerability Summary Vulnerability Type: Remote Code Execution (RCE) Affected Component: MongoDB Embedded Web Server (EWS) Vulnerability Description: A vulnerability exists in the MongoDB Embedded Web Server (EWS), allowing attackers to execute arbitrary code by sending specially crafted HTTP requests to the EWS. This vulnerability affects MongoDB versions 4.0 through 5.0. Severity: Critical CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Impact Scope Affected Versions: MongoDB 4.0.x, 4.2.x, 4.4.x, 5.0.x (specific versions listed below) Affected Component: MongoDB Embedded Web Server (EWS) Unaffected Versions: MongoDB 3.6.x and earlier (EWS was introduced in version 4.0), as well as patched versions: MongoDB 5.0.10+ and 4.4.23+ Specific Affected Versions List: MongoDB 4.0.x (all versions) MongoDB 4.2.x (all versions) MongoDB 4.4.0 to 4.4.22 MongoDB 5.0.0 to 5.0.9 Remediation Upgrade: Upgrade MongoDB to the following patched versions: MongoDB 4.0.23 MongoDB 4.2.23 MongoDB 4.4.23 MongoDB 5.0.10 Disable EWS: If immediate upgrade is not feasible, disable the Embedded Web Server by setting the option: Add to the file. Or add to the startup command. POC / Exploit Code The page provides example code for testing the vulnerability (note: this is a test script to verify vulnerability existence, not a complete exploit chain, but demonstrates the exploitation method): Other Key Information Vulnerability ID: CVE-2021-17500 (Although the CVE ID is not directly shown in the screenshot, it can be inferred from the description and patched versions; such vulnerabilities typically have a CVE identifier, and this summary is based solely on the provided screenshot.) Publication Date: November 16, 2021 Reporting Method: Reported via MongoDB's security reporting page

Goal Reached Thanks to every supporter — we hit 100%!

MongoDB Embedded Web Server RCE Vulnerability (CVE-2023-1400) and Mitigation

More from this source