Cockpit-HQ Cockpit NoSQL Injection Vulnerability in Asset and Aggregate Handlers

A critical NoSQL injection vulnerability has been identified in Cockpit-HQ Cockpit CMS versions through 2.13.5. This vulnerability arises from improper sanitization of user-controlled JSON objects in data query logic, allowing authenticated attackers to exploit MongoDB operators for data exfiltration. The issue is present in the Asset Handler and Aggregate Handler components, specifically within the 'POST /assets/assets' and '/api/content/aggregate/{model}' endpoints. Exploitation can lead to unauthorized access to sensitive data, including administrative credentials and personal information.

Impact

Exploitation of this vulnerability allows for full database exfiltration, cross-collection data theft, and unauthorized access to sensitive information such as hashed passwords, API tokens, and 2FA secrets.

Reproduction

To reproduce this vulnerability, an authenticated user with 'assets/read' or 'content/read' permissions can send a request to the '/api/content/aggregate/{model}' endpoint with a crafted aggregation pipeline that includes MongoDB operators like '$lookup' to exfiltrate data from unauthorized collections. Alternatively, the vulnerability can be reproduced by sending a 'POST' request to the '/assets/assets' endpoint with a filter that uses '$regex' to extract specific information, such as the creator's user ID of an asset.

Remediation

It is recommended to implement a recursive sanitizer that removes all keys starting with '$' from user-provided objects before they are sent to the database. Additionally, the aggregation API should be restricted to allow only certain stages, blocking operators like '$lookup' and '$unionWith' for non-superadmin users.