Share
## https://sploitus.com/exploit?id=PACKETSTORM:177507
Title: MongoDB MONGOSH Password Exposure Vulnerability  
Product: MongoDB database  
Tool: mongosh  
Affected Version(s): 2.0.1 , 2.1.1,2.1.4,2.1.5  
Tested Version(s): 2.0.1 , 2.1.1,2.1.4,2.1.5  
Risk Level: Low  
Author of Advisory: Emad Al-Mousa  
  
  
*****************************************  
Vulnerability Details:  
  
Vulnerability in MongoDB database system "mongosh" which is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system.  
  
MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system.  
  
  
*****************************************  
Proof of Concept (PoC):  
  
Vulnerability No1. : passwordPrompt() showing password displayed in clear text  
  
per documentation:  
  
https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt  
  
The password should not be displayed, however I found out that it appears clearly in the prompt !  
  
The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear.  
  
  
  
  
admin> use admin  
already on db admin  
admin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})  
Enter password  
mongo  
*****{ ok: 1 }  
admin>  
  
  
Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth command  
  
  
Mongosh was tested with both “remove”& “remove-redact” modes  
  
config.set (redactHistory, “remove-redact”)  
  
config.set (‘redactHistory’, “remove”)  
  
In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_history  
  
Contains the password in clear text for historical commands run for authentication db.auth() and db.createUser , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen !  
  
In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongosh  
  
Commands running for database creation db.createUser and db.auth() are logging the username, password explicitly as shown below:  
  
cat mongosh_repl_history  
  
use admin  
  
db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})  
  
  
*****************************************  
References:  
https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/  
https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt  
https://www.mongodb.com/docs/mongodb-shell/logs/