Bug 1916627 (CVE-2020-35131) - CVE-2020-35131 cockpit: registerCriteriaFunction in lib/MongoLite/Database.php allows for a Remote Command Execution via custom php code injection
Summary: CVE-2020-35131 cockpit: registerCriteriaFunction in lib/MongoLite/Database.ph...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-35131
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1916630
TreeView+ depends on / blocked
 
Reported: 2021-01-15 10:06 UTC by Marian Rehak
Modified: 2021-02-16 17:16 UTC (History)
13 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2021-01-18 06:27:57 UTC
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2021-01-15 10:06:56 UTC 
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.

Reference:

https://github.com/agentejo/cockpit/commits/next/lib/MongoLite/Database.php
https://github.com/agentejo/cockpit/releases/tag/0.6.1
Comment 1 Marian Rehak 2021-01-15 10:07:20 UTC 
Created cockpit tracking bugs for this issue:

Affects: fedora-all [bug 1916628]
Comment 2 Martin Pitt 2021-01-15 10:41:12 UTC 
*** Bug 1916628 has been marked as a duplicate of this bug. ***
Comment 3 Doran Moppert 2021-01-18 01:43:31 UTC 
Statement:

This vulnerability applies to Cockpit CMS (https://getcockpit.com/), which is a different product than the Cockpit Project (https://cockpit-project.org/) used in Red Hat products.  The Cockpit Project is not affected by this vulnerability.
Comment 4 Product Security DevOps Team 2021-01-18 06:27:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35131
Note You need to log in before you can comment on or make changes to this bug.