CVE-2020-35848 – CVE-2020-35848 is a NoSQL injection vulnerabili... (How to Fix)

Q: What is the severity of CVE-2020-35848?

CVE-2020-35848 has a CVSS score of 9.8 (CRITICAL). CVE-2020-35848 is a NoSQL injection vulnerability in Agentejo Cockpit CMS that allows attackers to execute arbitrary database queries via the password reset function. This affects all Cockpit installations before version 0.11.2. Attackers can potentially bypass authentication, access sensitive data, or execute unauthorized operations.

📋 TL;DR

CVE-2020-35848 is a NoSQL injection vulnerability in Agentejo Cockpit CMS that allows attackers to execute arbitrary database queries via the password reset function. This affects all Cockpit installations before version 0.11.2. Attackers can potentially bypass authentication, access sensitive data, or execute unauthorized operations.

💻 Affected Systems

Products:

Agentejo Cockpit CMS

Versions: All versions before 0.11.2

Operating Systems: All platforms running Cockpit

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the default installation when password reset functionality is enabled.

📦 What is this software?

Cockpit by Agentejo

View all CVEs affecting Cockpit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including administrative account takeover, data exfiltration, and potential remote code execution through database functions.

🟠

Likely Case

Authentication bypass leading to unauthorized access to the CMS admin panel and sensitive content.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is typically exposed to the internet for password reset functionality.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this if they have network access to the CMS.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code exists on Packet Storm Security. Exploitation requires no authentication and uses simple NoSQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.2 and later

Vendor Advisory: https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466

Restart Required: No

Instructions:

1. Update Cockpit to version 0.11.2 or later. 2. Replace the vulnerable Controller/Auth.php file with the patched version from GitHub commits. 3. No service restart required for PHP applications.

🔧 Temporary Workarounds

Disable password reset functionality

all

Temporarily disable the vulnerable password reset endpoint until patching is possible.

# Modify config/config.php to disable password reset
# Add or modify: 'allow_password_reset' => false

Input validation middleware

all

Add custom input validation to sanitize NoSQL injection attempts in the auth controller.

# Add input sanitization in Controller/Auth.php
# Filter and validate all user input before processing

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block NoSQL injection patterns
Restrict network access to the Cockpit admin interface using IP whitelisting

🔍 How to Verify

Check if Vulnerable:

Check if Cockpit version is below 0.11.2. Examine the Controller/Auth.php file for the vulnerable newpassword function without proper input validation.

Check Version:

php cockpit/version.php or check the composer.json file for version information

Verify Fix Applied:

Verify version is 0.11.2 or higher. Check that Controller/Auth.php includes the security fixes from the GitHub commits.

📡 Detection & Monitoring

Log Indicators:

Unusual NoSQL query patterns in application logs
Multiple failed password reset attempts with malformed parameters
Unexpected database queries from auth endpoints

Network Indicators:

HTTP POST requests to /auth/newpassword with NoSQL injection payloads
Unusual traffic patterns to authentication endpoints

SIEM Query:

source="cockpit_logs" AND (uri="/auth/newpassword" AND (payload CONTAINS "$ne" OR payload CONTAINS "$regex" OR payload CONTAINS "{"))

📊 Metadata

CVE ID: CVE-2020-35848

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 30, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163762/Cockpit-CMS-0.11.1-NoSQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://getcockpit.com/ Product,Vendor Advisory
https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466 Patch,Vendor Advisory
https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59af Patch,Vendor Advisory
https://github.com/agentejo/cockpit/commit/79fc9631ffa29146e3124ceaf99879b92e1ef24b Patch,Vendor Advisory
http://packetstormsecurity.com/files/163762/Cockpit-CMS-0.11.1-NoSQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://getcockpit.com/ Product,Vendor Advisory
https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466 Patch,Vendor Advisory
https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59af Patch,Vendor Advisory
https://github.com/agentejo/cockpit/commit/79fc9631ffa29146e3124ceaf99879b92e1ef24b Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35848, you might also want to check these: