CVE-2020-35846 – CVE-2020-35846 is a NoSQL injection vulnerabili... (How to Fix)

Q: What is the severity of CVE-2020-35846?

CVE-2020-35846 has a CVSS score of 9.8 (CRITICAL). CVE-2020-35846 is a NoSQL injection vulnerability in Agentejo Cockpit CMS that allows attackers to execute arbitrary commands on affected systems. The vulnerability exists in the authentication controller and can lead to remote code execution. All users running Cockpit CMS versions before 0.11.2 are affected.

📋 TL;DR

CVE-2020-35846 is a NoSQL injection vulnerability in Agentejo Cockpit CMS that allows attackers to execute arbitrary commands on affected systems. The vulnerability exists in the authentication controller and can lead to remote code execution. All users running Cockpit CMS versions before 0.11.2 are affected.

💻 Affected Systems

Products:

Agentejo Cockpit CMS

Versions: All versions before 0.11.2

Operating Systems: All platforms running Cockpit CMS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations regardless of configuration. The vulnerability is in core authentication code.

📦 What is this software?

Cockpit by Agentejo

View all CVEs affecting Cockpit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full system control, executes arbitrary commands, steals sensitive data, and potentially compromises the entire server infrastructure.

🟠

Likely Case

Remote code execution leading to web shell deployment, data exfiltration, and lateral movement within the network.

🟢

If Mitigated

Attack prevented through proper input validation and parameterized queries, limiting impact to authentication failures only.

🌐 Internet-Facing: HIGH - Web applications are directly accessible and vulnerable to remote exploitation without authentication.

🏢 Internal Only: MEDIUM - Internal systems still vulnerable but attack surface reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on Packet Storm Security. Exploitation requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.2 and later

Vendor Advisory: https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466

Restart Required: Yes

Instructions:

1. Backup your current installation. 2. Update Cockpit CMS to version 0.11.2 or later via composer (composer update agentejo/cockpit). 3. Restart your web server. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom input validation to sanitize authentication parameters before processing.

Modify Controller/Auth.php to add parameter validation and sanitization

Web Application Firewall

all

Deploy WAF rules to block NoSQL injection patterns in authentication requests.

Add WAF rule: deny requests containing suspicious NoSQL operators in auth parameters

🧯 If You Can't Patch

Isolate affected systems from internet access using network segmentation
Implement strict network monitoring and alerting for suspicious authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check Cockpit CMS version via admin panel or by examining composer.json file for version number.

Check Version:

php -r "require 'vendor/autoload.php'; echo \Cockpit::VERSION;"

Verify Fix Applied:

Verify version is 0.11.2 or later and check that the Controller/Auth.php file contains the security fixes from the official commits.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts with special characters
Failed login attempts containing NoSQL operators like $ne, $gt, $regex
Unexpected process execution from web server user

Network Indicators:

HTTP POST requests to /auth/check with suspicious parameters
Outbound connections from web server to unknown IPs

SIEM Query:

source="web_logs" AND (uri="/auth/check" AND (param="$ne" OR param="$gt" OR param="$regex"))

📊 Metadata

CVE ID: CVE-2020-35846

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 30, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162282/Cockpit-CMS-0.11.1-NoSQL-Injection-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
https://getcockpit.com/ Product,Vendor Advisory
https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466 Patch,Vendor Advisory
https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59af Patch,Vendor Advisory
https://github.com/agentejo/cockpit/commit/79fc9631ffa29146e3124ceaf99879b92e1ef24b Patch,Vendor Advisory
http://packetstormsecurity.com/files/162282/Cockpit-CMS-0.11.1-NoSQL-Injection-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
https://getcockpit.com/ Product,Vendor Advisory
https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466 Patch,Vendor Advisory
https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59af Patch,Vendor Advisory
https://github.com/agentejo/cockpit/commit/79fc9631ffa29146e3124ceaf99879b92e1ef24b Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35846, you might also want to check these: