CVE-2020-7924

12.04.2021, 17:15

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.2 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
mongodb	CNA	4.2 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 41%

Vendor	Product	Version
mongodb	database_tools	3.6.5 ≤ 𝑥 < 3.6.21
mongodb	database_tools	4.0.0 ≤ 𝑥 < 4.0.21
mongodb	database_tools	4.2.0 ≤ 𝑥 < 4.2.11
mongodb	database_tools	100.0.0 ≤ 𝑥 < 100.2.0
mongodb	mongomirror	𝑥 < 0.6.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

mongo-tools

groovy	dne
focal	not-affected
bionic	not-affected
xenial	dne
trusty	dne

Common Weakness Enumeration

CWE-295 - Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate.

References

https://jira.mongodb.org/browse/TOOLS-2587