CVE-2020-35131
published 2021-01-08CVE-2020-35131: Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
49.94%
98.8th percentile
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| agentejo | cockpit | < 0.6.1 | 0.6.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /auth/check or /auth/requestreset containing PHP injection patterns (e.g., single-quote-delimited PHP function calls) in the JSON body. ↗
- →A successful exploit response will contain both 'cockpit' and 'PHP Extension' strings in the HTTP response body (phpinfo() output), indicating RCE was achieved. ↗
- →Requests will use Content-Type: application/json; charset=UTF-8 targeting the unauthenticated /auth/check and /auth/requestreset endpoints — no authentication required. ↗
- →Shodan/FOFA fingerprinting: identify exposed Cockpit CMS instances via http.html:"cockpit" (Shodan) or app="Cockpit" (FOFA) for proactive asset discovery. ↗
- →Note: This CVE affects Cockpit CMS (getcockpit.com), NOT the Red Hat Cockpit Project (cockpit-project.org). Ensure detections are scoped to the correct product. ↗
- ·The vulnerability exists in versions of Cockpit CMS strictly before 0.6.1; version 0.6.1 and later are patched. ↗
- ·The injection point is the registerCriteriaFunction method in lib/MongoLite/Database.php; patching or monitoring changes to this file is relevant for defenders. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
cockpit: registerCriteriaFunction in lib/MongoLite/Database.php allows for a Remote Command Execution via custom php code injection
vendor_redhat·2021-01-08·CVSS 9.8
CVE-2020-35131 [CRITICAL] CWE-94 cockpit: registerCriteriaFunction in lib/MongoLite/Database.php allows for a Remote Command Execution via custom php code injection
cockpit: registerCriteriaFunction in lib/MongoLite/Database.php allows for a Remote Command Execution via custom php code injection
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
A flaw was found in cockpit. An attacker is able to inject custom PHP code and achieve remote command execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: This vulnerability applies to Cockpit CMS (https://getcockpit.com/), which is a different product than the Cockpit Project (https://cockpit-project.org/) used in Red Hat product
GHSA
GHSA-5qjq-mx2m-jmx9: Cockpit before 0
ghsa_unreviewed·2022-05-24
CVE-2020-35131 [CRITICAL] CWE-94 GHSA-5qjq-mx2m-jmx9: Cockpit before 0
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
VulnCheck
agentejo cockpit Improper Control of Generation of Code ('Code Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-35131 [CRITICAL] agentejo cockpit Improper Control of Generation of Code ('Code Injection')
agentejo cockpit Improper Control of Generation of Code ('Code Injection')
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
Affected: agentejo cockpit
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2020-35131; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2020-35131;
No detection rules found.
Nuclei
Cockpit CMS 0.6.1 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-35131 [CRITICAL] Cockpit CMS 0.6.1 - Remote Code Execution
Cockpit CMS 0.6.1 - Remote Code Execution
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
Template:
id: CVE-2020-35131
info:
name: Cockpit CMS 0.6.1 - Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
impact: |
Unauthenticated attackers can inject custom PHP code to achieve remote command execution, leading to complete C
No writeups or analysis indexed.
https://github.com/agentejo/cockpit/commits/next/lib/MongoLite/Database.phphttps://github.com/agentejo/cockpit/releases/tag/0.6.1https://www.exploit-db.com/exploits/49390https://github.com/agentejo/cockpit/commits/next/lib/MongoLite/Database.phphttps://github.com/agentejo/cockpit/releases/tag/0.6.1https://www.exploit-db.com/exploits/49390
2021-01-08
Published
Exploited in the wild