Title: MongoDB MONGOSH Password Exposure Vulnerability
Product:                   MongoDB database
Tool:                      mongosh
Affected Version(s):       2.0.1 , 2.1.1,2.1.4,2.1.5
Tested Version(s):         2.0.1 , 2.1.1,2.1.4,2.1.5
Risk Level:                Low
Author of Advisory:        Emad Al-Mousa


*****************************************
Vulnerability Details:

Vulnerability in MongoDB database system "mongosh" which  is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system.

MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system.


*****************************************
Proof of Concept (PoC):

Vulnerability No1. : passwordPrompt() showing password displayed in clear text

per documentation:

https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt

The password should not be displayed, however I found out that it appears clearly in the prompt !

The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear.




admin> use admin
already on db admin
admin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})
Enter password
mongo
*****{ ok: 1 }
admin>


Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth command


Mongosh was tested with both “remove”& “remove-redact” modes

config.set (redactHistory, “remove-redact”)

config.set (‘redactHistory’, “remove”)

In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_history

Contains the password in clear text for historical  commands run for authentication db.auth() and db.createUser  , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen !

In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongosh

Commands running for database creation db.createUser and db.auth()  are logging the username, password explicitly as shown below:

cat mongosh_repl_history

use admin

db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})


*****************************************
References:
https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/
https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt
https://www.mongodb.com/docs/mongodb-shell/logs/