Sun. Jan 26th, 2020

CVE-2019-10758: MongoDB mongo-express Remote Code Execution Alert

1 min read

On January 3, 2020, we monitored that mongo-express officially released the CVE-2019-10758 vulnerability warning, with a high vulnerability level. At present, the number of users of mongo-express should be more in the MongoDB admin management interface on Github. We judge that the vulnerability level is high and the harm/impact is large. It is recommended to mongo-express users to update in time to avoid hacking.

MongoDB acquired mLab

Vulnerability details

The affected version of this package is vulnerable to remote code execution (RCE) attacks through endpoints using the toBSON method. Abuse vm dependencies in non-secure environments to execute exec commands. The default username is admin and the password is pass.

Affected version

mongo-express, versions 0.54.0 and older

Unaffected version

mongo-express version 0.54.0 or higher.