CVE-2020-7924

EUVD-2022-2775

12.04.2021, 17:15

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.2 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
mongodb	CNA	4.2 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 51%

Affected Products (NVD)

Vendor	Product	Version
mongodb	database_tools	3.6.5 ≤ 𝑥 < 3.6.21
mongodb	database_tools	4.0.0 ≤ 𝑥 < 4.0.21
mongodb	database_tools	4.2.0 ≤ 𝑥 < 4.2.11
mongodb	database_tools	100.0.0 ≤ 𝑥 < 100.2.0
mongodb	mongomirror	𝑥 < 0.6.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

mongo-tools

bionic	not-affected
focal	not-affected
groovy	dne
trusty	dne
xenial	dne

Common Weakness Enumeration

CWE-295 - Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate.

References

https://jira.mongodb.org/browse/TOOLS-2587