CVE-2019-10758: MongoDB mongo-express Remote Code Execution Alert
On January 3, 2020, we monitored that mongo-express officially released the CVE-2019-10758 vulnerability warning, with a high vulnerability level. At present, the number of users of mongo-express should be more in the MongoDB admin management interface on Github. We judge that the vulnerability level is high and the harm/impact is large. It is recommended to mongo-express users to update in time to avoid hacking.
Vulnerability details
The affected version of this package is vulnerable to remote code execution (RCE) attacks through endpoints using the toBSON method. Abuse vm dependencies in non-secure environments to execute exec commands. The default username is admin and the password is pass.
Affected version
mongo-express, versions 0.54.0 and older
Unaffected version
mongo-express version 0.54.0 or higher.