CVE-2023-1409

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.

This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
mongodbCNA
5.3 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
VendorProductVersion
mongodbmongodb
4.4.0 ≤
𝑥
< 4.4.23
mongodbmongodb
5.0.0 ≤
𝑥
≤ 5.0.14
mongodbmongodb
6.0.0 ≤
𝑥
< 6.0.7
mongodbmongodb
6.3.0 ≤
𝑥
≤ 6.3.2
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mongodb
oracular
dne
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
https://jira.mongodb.org/browse/SERVER-73662
https://jira.mongodb.org/browse/SERVER-77028
https://security.netapp.com/advisory/ntap-20230921-0007/
https://jira.mongodb.org/browse/SERVER-73662
https://jira.mongodb.org/browse/SERVER-77028
https://security.netapp.com/advisory/ntap-20230921-0007/