CVE-2020-7921
06.05.2020, 15:15
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.Enginsight
| Vendor | Product | Version |
|---|---|---|
| mongodb | mongodb | 3.6.0 ≤ 𝑥 < 3.6.18 |
| mongodb | mongodb | 4.0.0 ≤ 𝑥 < 4.0.15 |
| mongodb | mongodb | 4.2.0 ≤ 𝑥 < 4.2.3 |
| mongodb | mongodb | 4.3.0 ≤ 𝑥 < 4.3.3 |
𝑥
= Vulnerable software versions
Ubuntu Releases
Common Weakness Enumeration
- CWE-182 - Collapse of Data into Unsafe ValueThe software filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.
- CWE-863 - Incorrect AuthorizationThe software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.