CVE-2019-10758 is a vulnerability in Mongo Expressproject Mongo Express
Published on December 24, 2019
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
Known Exploited Vulnerability
This MongoDB mongo-express Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method.
The following remediation steps are recommended / required by June 10, 2022: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2019-10758 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 3.1 out of four. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Products Associated with CVE-2019-10758
You can be notified by stack.watch whenever vulnerabilities like CVE-2019-10758 are published in these products:
What versions of Mongo Express are vulnerable to CVE-2019-10758?
-
Mongo Expressproject Mongo Express
Fixed in Version 0.54.0
node.js
Vulnerable Packages
The following package name and versions may be associated with CVE-2019-10758
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| npm | mongo-express | < 0.54.0 | 0.54.0 |