MongoDB Operator Injection

Severity: High

Summary#

Invicti detected that the application is vulnerable to a MongoDB operator injection. MongoDB injections occur when applications don't sanitize user input, which is then interpreted by a MongoDB database.

Impact#

Depending on the backend database version, an attacker can perform one of the following types of attacks successfully:

Reading, updating or deleting arbitrary data from the database
Collect sensitive information about the backend server configuration

Remediation#

To avoid this vulnerability;

Sanitize user-supplied input and strictly check its type
Use most recent version of MongoDB.

Classifications#

PCI v3.2-6.5.1, OWASP 2013-A1, OWASP 2017-A1, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L, CWE-943

MongoDB Operator Injection

Related Articles

Build your resistance to threats. And save hundreds of hours each month.