cbcvebase.
CVE-2013-1892
published 2013-10-01

CVE-2013-1892: MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated…

PriorityP355medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
44.54%
98.6th percentile
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument.

Affected

18 ranges
VendorProductVersion rangeFixed in
mongodbmongodb<= 2.0.8
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
mongodbmongodb
redhatenterprise_mrg

Detection & IOCsextracted from sources · hover to see the quote

port27017
urlhttp://fastdl.mongodb.org/linux/mongodb-linux-i686-2.2.3.tgz
  • Detect exploit attempts by monitoring MongoDB wire protocol traffic on port 27017 for JavaScript payloads containing 'nativeHelper.apply' with a crafted numeric first argument (e.g., object with key 'x' set to a raw memory address).
  • Alert on MongoDB $where clauses containing heap-spray patterns: large loops building NOP sleds via unescape('%u9090%u9090') combined with 'nativeHelper.apply' calls.
  • The exploit requires authenticated access; monitor for authentication attempts against the 'admin' database on MongoDB followed immediately by $where JavaScript execution.
  • The string 'MongoSploit!' appears verbatim in the ROP chain payload and can be used as a network signature to detect exploitation attempts.
  • The exploit uses a fixed ROP gadget address 0x0836e204 (mov eax,DWORD PTR [eax] / call DWORD PTR [eax+0x1c]) as the first argument to nativeHelper.apply; presence of this value in $where payloads is a strong indicator.
  • The exploit targets MongoDB 2.2.3 on Linux 32-bit; detection should focus on mongod processes running vulnerable versions (before 2.0.9 or 2.2.x before 2.2.4).
  • ·The exploit requires remote authenticated access; unauthenticated MongoDB instances are also vulnerable but the module explicitly supports credential-based authentication, meaning network-level authentication alone does not mitigate the risk.
  • ·The published ROP chain and gadget offsets are specific to MongoDB 2.2.3 32-bit Linux builds; different versions or architectures will have different gadget addresses, so detection based solely on hardcoded addresses may miss adapted exploits.
  • ·The exploit can optionally create a new random collection if none is specified, meaning collection-name-based detection is unreliable; the attacker-controlled collection name is randomized.
  • ·OpenShift Enterprise 1 was marked 'Will not fix' for this CVE, meaning deployments on that platform remain permanently vulnerable.

CVSS provenance

nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vendor_redhat6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.