Vulnerability-Lookup

CVE-2024-1351 (GCVE-0-2024-1351)

Vulnerability from cvelistv5 – Published: 2024-03-07 16:10 – Updated: 2025-02-13 17:27

Title

MongoDB Server may allow successful untrusted connection

Summary

Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28. Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-295 - Improper Certificate Validation

Assigner

mongodb

References

URL

Tags

	https://jira.mongodb.org/browse/SERVER-72839
	https://www.mongodb.com/docs/v5.0/release-notes/5…	release-notes
	https://www.mongodb.com/docs/v6.0/release-notes/6…	release-notes
	https://www.mongodb.com/docs/manual/release-notes…	release-notes
	https://www.mongodb.com/docs/manual/release-notes…	release-notes
	https://security.netapp.com/advisory/ntap-2024052…

Impacted products

	Vendor	Product	Version
	MongoDB Inc	MongoDB Server	Affected: 7.0 , ≤ 7.0.5 (custom) Affected: 6.0 , ≤ 6.0.13 (custom) Affected: 5.0 , ≤ 5.0.24 (custom) Affected: 4.4 , ≤ 4.4.28 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:33:25.588Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jira.mongodb.org/browse/SERVER-72839"
          },
          {
            "tags": [
              "release-notes",
              "x_transferred"
            ],
            "url": "https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024"
          },
          {
            "tags": [
              "release-notes",
              "x_transferred"
            ],
            "url": "https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024"
          },
          {
            "tags": [
              "release-notes",
              "x_transferred"
            ],
            "url": "https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024"
          },
          {
            "tags": [
              "release-notes",
              "x_transferred"
            ],
            "url": "https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240524-0010/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mongodb",
            "vendor": "mongodb",
            "versions": [
              {
                "lessThanOrEqual": "7.0.5",
                "status": "affected",
                "version": "7.0",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "6.0.13",
                "status": "affected",
                "version": "6.0",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "5.0.24",
                "status": "affected",
                "version": "5.0",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "4.4.28",
                "status": "affected",
                "version": "4.4",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-1351",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-07T18:56:20.004972Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-15T17:06:22.918Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MongoDB Server",
          "vendor": "MongoDB Inc",
          "versions": [
            {
              "lessThanOrEqual": "7.0.5",
              "status": "affected",
              "version": "7.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.0.13",
              "status": "affected",
              "version": "6.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.0.24",
              "status": "affected",
              "version": "5.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.4.28",
              "status": "affected",
              "version": "4.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\u003cbr\u003e"
            }
          ],
          "value": "A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured."
        }
      ],
      "datePublic": "2024-02-29T09:31:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUnder certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections  that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\u003c/p\u003e\u003cp\u003eRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\u003c/p\u003e"
            }
          ],
          "value": "Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections  that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-10T16:11:00.782Z",
        "orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
        "shortName": "mongodb"
      },
      "references": [
        {
          "url": "https://jira.mongodb.org/browse/SERVER-72839"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240524-0010/"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "MongoDB Server may allow successful untrusted connection",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
    "assignerShortName": "mongodb",
    "cveId": "CVE-2024-1351",
    "datePublished": "2024-03-07T16:10:19.597Z",
    "dateReserved": "2024-02-08T16:36:39.507Z",
    "dateUpdated": "2025-02-13T17:27:37.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://jira.mongodb.org/browse/SERVER-72839\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024\", \"tags\": [\"release-notes\", \"x_transferred\"]}, {\"url\": \"https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024\", \"tags\": [\"release-notes\", \"x_transferred\"]}, {\"url\": \"https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024\", \"tags\": [\"release-notes\", \"x_transferred\"]}, {\"url\": \"https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024\", \"tags\": [\"release-notes\", \"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240524-0010/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T18:33:25.588Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-1351\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-07T18:56:20.004972Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*\"], \"vendor\": \"mongodb\", \"product\": \"mongodb\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.0.5\"}, {\"status\": \"affected\", \"version\": \"6.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"6.0.13\"}, {\"status\": \"affected\", \"version\": \"5.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.0.24\"}, {\"status\": \"affected\", \"version\": \"4.4\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.4.28\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-15T17:06:17.619Z\"}}], \"cna\": {\"title\": \"MongoDB Server may allow successful untrusted connection\", \"source\": {\"discovery\": \"INTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"MongoDB Inc\", \"product\": \"MongoDB Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.0.5\"}, {\"status\": \"affected\", \"version\": \"6.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"6.0.13\"}, {\"status\": \"affected\", \"version\": \"5.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.0.24\"}, {\"status\": \"affected\", \"version\": \"4.4\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.4.28\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-02-29T09:31:00.000Z\", \"references\": [{\"url\": \"https://jira.mongodb.org/browse/SERVER-72839\"}, {\"url\": \"https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240524-0010/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections  that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\\n\\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUnder certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections  that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\u003c/p\u003e\u003cp\u003eRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295: Improper Certificate Validation\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"a39b4221-9bd0-4244-95fc-f3e2e07f1deb\", \"shortName\": \"mongodb\", \"dateUpdated\": \"2024-06-10T16:11:00.782Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-1351\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T17:27:37.200Z\", \"dateReserved\": \"2024-02-08T16:36:39.507Z\", \"assignerOrgId\": \"a39b4221-9bd0-4244-95fc-f3e2e07f1deb\", \"datePublished\": \"2024-03-07T16:10:19.597Z\", \"assignerShortName\": \"mongodb\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-0200

Vulnerability from certfr_avis - Published: 2024-03-11 - Updated: 2024-03-11

Une vulnérabilité a été découverte dans les produits MongoDB. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
MongoDB	Server	MongoDB Server versions 5.0.x antérieures à 5.0.25
MongoDB	Server	MongoDB Server versions 7.0.x antérieures à 7.0.6
MongoDB	Server	MongoDB Server versions 6.0.x antérieures à 6.0.14
MongoDB	Server	MongoDB Server versions 4.4.x antérieures à 4.4.29
MongoDB	Server	MongoDB Server versions 7.1.x antérieures à 7.1.0-rc4

References

Title

Publication Time

Tags

Bulletin de sécurité MongoDB SERVER-72839 du 29 février 2024

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "MongoDB Server versions 5.0.x ant\u00e9rieures \u00e0 5.0.25",
      "product": {
        "name": "Server",
        "vendor": {
          "name": "MongoDB",
          "scada": false
        }
      }
    },
    {
      "description": "MongoDB Server versions 7.0.x ant\u00e9rieures \u00e0 7.0.6",
      "product": {
        "name": "Server",
        "vendor": {
          "name": "MongoDB",
          "scada": false
        }
      }
    },
    {
      "description": "MongoDB Server versions 6.0.x ant\u00e9rieures \u00e0 6.0.14",
      "product": {
        "name": "Server",
        "vendor": {
          "name": "MongoDB",
          "scada": false
        }
      }
    },
    {
      "description": "MongoDB Server versions 4.4.x ant\u00e9rieures \u00e0 4.4.29",
      "product": {
        "name": "Server",
        "vendor": {
          "name": "MongoDB",
          "scada": false
        }
      }
    },
    {
      "description": "MongoDB Server versions 7.1.x ant\u00e9rieures \u00e0 7.1.0-rc4",
      "product": {
        "name": "Server",
        "vendor": {
          "name": "MongoDB",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2024-1351",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-1351"
    }
  ],
  "initial_release_date": "2024-03-11T00:00:00",
  "last_revision_date": "2024-03-11T00:00:00",
  "links": [],
  "reference": "CERTFR-2024-AVI-0200",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-03-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans \u003cspan class=\"textit\"\u003eles\nproduits MongoDB\u003c/span\u003e. Elle permet \u00e0 un attaquant de provoquer un\ncontournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans les produits MongoDB",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 MongoDB SERVER-72839 du 29 f\u00e9vrier 2024",
      "url": "https://jira.mongodb.org/browse/SERVER-72839"
    }
  ]
}

CERTFR-2025-AVI-0838

Vulnerability from certfr_avis - Published: 2025-10-02 - Updated: 2025-10-02

De multiples vulnérabilités ont été découvertes dans les produits Splunk. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 9.3.2411 antérieures à 9.3.2411.109
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 9.2.2406 antérieures à 9.2.2406.123
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 9.3.2408 antérieures à 9.3.2408.119
Splunk	Splunk Enterprise	Splunk Enterprise versions 10.0.x antérieures à 10.0.1
Splunk	Splunk Enterprise	Splunk Enterprise Cloud versions 9.2.2406 antérieures à 9.2.2406.123
Splunk	Splunk Enterprise	Splunk Enterprise versions 10.0.x antérieures à 10.0.0
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.2.x antérieures à 9.2.8
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.4.x antérieures à 9.4.4
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.3.x antérieures à 9.3.6
Splunk	Splunk Enterprise	Splunk Enterprise Cloud versions 9.3.2411 antérieures à 9.3.2411.108
Splunk	Splunk Enterprise	Splunk Enterprise Cloud versions 9.3.2408 antérieures à 9.3.2408.118
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 9.3.2411 antérieures à 9.3.2411.111

References

Title

Publication Time

Tags

Bulletin de sécurité Splunk SVD-2025-1006	2025-10-01	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-1005	2025-10-01	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-1002	2025-10-01	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-1004	2025-10-01	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-1007	2025-10-01	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-1003	2025-10-01	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-1001	2025-10-01	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Splunk Cloud Platform versions 9.3.2411 ant\u00e9rieures \u00e0 9.3.2411.109",
      "product": {
        "name": "Splunk Cloud Platform",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Cloud Platform versions 9.2.2406 ant\u00e9rieures \u00e0 9.2.2406.123",
      "product": {
        "name": "Splunk Cloud Platform",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Cloud Platform versions 9.3.2408 ant\u00e9rieures \u00e0 9.3.2408.119",
      "product": {
        "name": "Splunk Cloud Platform",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 10.0.x ant\u00e9rieures \u00e0 10.0.1",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise Cloud versions 9.2.2406 ant\u00e9rieures \u00e0 9.2.2406.123",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 10.0.x ant\u00e9rieures \u00e0 10.0.0",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.2.x ant\u00e9rieures \u00e0 9.2.8",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.4.x ant\u00e9rieures \u00e0 9.4.4",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.3.x ant\u00e9rieures \u00e0 9.3.6",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise Cloud versions 9.3.2411 ant\u00e9rieures \u00e0 9.3.2411.108",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise Cloud versions 9.3.2408 ant\u00e9rieures \u00e0 9.3.2408.118",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Cloud Platform versions 9.3.2411 ant\u00e9rieures \u00e0 9.3.2411.111",
      "product": {
        "name": "Splunk Cloud Platform",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2021-44906",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
    },
    {
      "name": "CVE-2022-46175",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
    },
    {
      "name": "CVE-2015-5237",
      "url": "https://www.cve.org/CVERecord?id=CVE-2015-5237"
    },
    {
      "name": "CVE-2025-20367",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20367"
    },
    {
      "name": "CVE-2024-7553",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-7553"
    },
    {
      "name": "CVE-2025-20366",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20366"
    },
    {
      "name": "CVE-2025-52999",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
    },
    {
      "name": "CVE-2022-37601",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-37601"
    },
    {
      "name": "CVE-2025-20370",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20370"
    },
    {
      "name": "CVE-2024-45337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
    },
    {
      "name": "CVE-2024-7254",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
    },
    {
      "name": "CVE-2025-20369",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20369"
    },
    {
      "name": "CVE-2025-5025",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-5025"
    },
    {
      "name": "CVE-2024-1351",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-1351"
    },
    {
      "name": "CVE-2025-20371",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20371"
    },
    {
      "name": "CVE-2025-20368",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20368"
    },
    {
      "name": "CVE-2025-32415",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-32415"
    },
    {
      "name": "CVE-2025-4947",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-4947"
    },
    {
      "name": "CVE-2025-0725",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0725"
    },
    {
      "name": "CVE-2025-0167",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0167"
    }
  ],
  "initial_release_date": "2025-10-02T00:00:00",
  "last_revision_date": "2025-10-02T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0838",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-10-02T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Splunk. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Splunk",
  "vendor_advisories": [
    {
      "published_at": "2025-10-01",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-1006",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-1006"
    },
    {
      "published_at": "2025-10-01",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-1005",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-1005"
    },
    {
      "published_at": "2025-10-01",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-1002",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-1002"
    },
    {
      "published_at": "2025-10-01",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-1004",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-1004"
    },
    {
      "published_at": "2025-10-01",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-1007",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-1007"
    },
    {
      "published_at": "2025-10-01",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-1003",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-1003"
    },
    {
      "published_at": "2025-10-01",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-1001",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-1001"
    }
  ]
}

GSD-2024-1351

Vulnerability from gsd - Updated: 2024-02-09 06:02

Details

Aliases

CVE-2024-1351

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-1351"
      ],
      "details": "Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections  that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\n\n",
      "id": "GSD-2024-1351",
      "modified": "2024-02-09T06:02:34.561014Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@mongodb.com",
        "ID": "CVE-2024-1351",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "MongoDB Server",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "7.0",
                          "version_value": "7.0.5"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_name": "6.0",
                          "version_value": "6.0.13"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_name": "5.0",
                          "version_value": "5.0.24 "
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_name": "4.4",
                          "version_value": "4.4.28"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "MongoDB Inc"
            }
          ]
        }
      },
      "configuration": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\u003cbr\u003e"
            }
          ],
          "value": "A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\n"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections  that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-295",
                "lang": "eng",
                "value": "CWE-295: Improper Certificate Validation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://jira.mongodb.org/browse/SERVER-72839",
            "refsource": "MISC",
            "url": "https://jira.mongodb.org/browse/SERVER-72839"
          },
          {
            "name": "https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024",
            "refsource": "MISC",
            "url": "https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024"
          },
          {
            "name": "https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024",
            "refsource": "MISC",
            "url": "https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024"
          },
          {
            "name": "https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024",
            "refsource": "MISC",
            "url": "https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024"
          },
          {
            "name": "https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024",
            "refsource": "MISC",
            "url": "https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024"
          }
        ]
      },
      "source": {
        "discovery": "INTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections  that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\n\n"
          },
          {
            "lang": "es",
            "value": "Bajo ciertas configuraciones de --tlsCAFile y tls.CAFile, el servidor MongoDB puede omitir la validaci\u00f3n de certificados de pares, lo que puede resultar en conexiones que no son de confianza para tener \u00e9xito. Esto puede reducir efectivamente las garant\u00edas de seguridad proporcionadas por TLS y abrir conexiones que deber\u00edan haberse cerrado debido a una validaci\u00f3n fallida del certificado. Este problema afecta a las versiones de MongoDB Server v7.0 anteriores a 7.0.5 incluida, a las versiones de MongoDB Server v6.0 anteriores a 6.0.13 incluida, a las versiones de MongoDB Server v5.0 anteriores a 5.0.24 incluida y a MongoDB Server v4.4 Versiones anteriores a la 4.4.28 incluida. Configuraci\u00f3n requerida: un proceso de servidor permitir\u00e1 que las conexiones entrantes omitan la validaci\u00f3n del certificado de pares si el proceso del servidor se inici\u00f3 con TLS habilitado (net.tls.mode configurado en enableTLS, preferTLS o requireTLS) y sin un archivo net.tls.CAFile configurado."
          }
        ],
        "id": "CVE-2024-1351",
        "lastModified": "2024-03-08T14:02:57.420",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 5.9,
              "source": "cna@mongodb.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-03-07T17:15:12.740",
        "references": [
          {
            "source": "cna@mongodb.com",
            "url": "https://jira.mongodb.org/browse/SERVER-72839"
          },
          {
            "source": "cna@mongodb.com",
            "url": "https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024"
          },
          {
            "source": "cna@mongodb.com",
            "url": "https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024"
          },
          {
            "source": "cna@mongodb.com",
            "url": "https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024"
          },
          {
            "source": "cna@mongodb.com",
            "url": "https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024"
          }
        ],
        "sourceIdentifier": "cna@mongodb.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-295"
              }
            ],
            "source": "cna@mongodb.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

CVE-2024-1351

Vulnerability from fstec - Published: 07.03.2024

Title

Уязвимость системы управления базами данных MongoDB, связанная с ошибками процедуры подтверждения подлинности TLS сертификата, позволяющая нарушителю установить несанкционированное соединение к серверу MongoDB

Description

Уязвимость системы управления базами данных MongoDB связана с ошибками процедуры подтверждения подлинности TLS сертификата. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, установить несанкционированное соединение к серверу MongoDB

Severity ?


                    
                      AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

ООО «Ред Софт», MongoDB Inc., Percona LLC

Software Name

РЕД ОС (запись в едином реестре российских программ №3751), MongoDB, Percona Server for MongoDB

Software Version

7.3 (РЕД ОС), от 7.0.0 до 7.0.5 включительно (MongoDB), от 6.0.0 до 6.0.13 включительно (MongoDB), от 5.0.0 до 5.0.24 включительно (MongoDB), от 4.4.0 до 4.4.28 включительно (MongoDB), до 7.0.7-4 (Percona Server for MongoDB)

Possible Mitigations

Использование рекомендаций: https://jira.mongodb.org/browse/SERVER-72839 https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024 https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024 https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024 https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024 Для РЕД ОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

Reference

https://jira.mongodb.org/browse/SERVER-72839 https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024 https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024 https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024 https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024 http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

CWE

CWE-295

JSON

To clipboard

{
  "CVSS 2.0": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "TO1165, TO1166",
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": "TO1165 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Percona Server for MongoDB, TO1166 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Percona Server for MongoDB",
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, MongoDB Inc., Percona LLC",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u043e\u0442 7.0.0 \u0434\u043e 7.0.5 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (MongoDB), \u043e\u0442 6.0.0 \u0434\u043e 6.0.13 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (MongoDB), \u043e\u0442 5.0.0 \u0434\u043e 5.0.24 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (MongoDB), \u043e\u0442 4.4.0 \u0434\u043e 4.4.28 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (MongoDB), \u0434\u043e 7.0.7-4 (Percona Server for MongoDB)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://jira.mongodb.org/browse/SERVER-72839\t\nhttps://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024\t\nhttps://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024\t\nhttps://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024\t\nhttps://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024\n\n\n\n\u0414\u043b\u044f \u0420\u0415\u0414 \u041e\u0421: \nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "07.03.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "19.10.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "13.03.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-01947",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-1351",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), MongoDB, Percona Server for MongoDB",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0431\u0430\u0437\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 MongoDB, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u043f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u044b \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u044f \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 TLS \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0435 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435 \u043a \u0441\u0435\u0440\u0432\u0435\u0440\u0443 MongoDB",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0435 \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u0435 \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430 (CWE-295)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0431\u0430\u0437\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 MongoDB \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u043f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u044b \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u044f \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 TLS \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0435 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435 \u043a \u0441\u0435\u0440\u0432\u0435\u0440\u0443 MongoDB",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://jira.mongodb.org/browse/SERVER-72839\t\nhttps://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024\t\nhttps://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024\t\nhttps://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024\t\nhttps://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u0421\u0423\u0411\u0414, \u041f\u041e \u0434\u043b\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0418\u0418",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-295",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,3)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,8)"
}

bit-mongodb-2024-1351

Vulnerability from bitnami_vulndb

Published

2025-03-12 07:18

Modified

2025-05-20 10:02

Summary

MongoDB Server may allow successful untrusted connection

Details

Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "mongodb",
        "purl": "pkg:bitnami/mongodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0"
            },
            {
              "fixed": "5.0.26"
            },
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.14"
            },
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.7"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-1351"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*"
    ],
    "severity": "Critical"
  },
  "details": "Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections  that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.",
  "id": "BIT-mongodb-2024-1351",
  "modified": "2025-05-20T10:02:07.006Z",
  "published": "2025-03-12T07:18:10.164Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-72839"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240524-0010/"
    },
    {
      "type": "WEB",
      "url": "https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024"
    },
    {
      "type": "WEB",
      "url": "https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024"
    },
    {
      "type": "WEB",
      "url": "https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024"
    },
    {
      "type": "WEB",
      "url": "https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1351"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "MongoDB Server may allow successful untrusted connection"
}

CNVD-2024-13539

Vulnerability from cnvd - Published: 2024-03-14

Title

MongoDB Server信任管理问题漏洞（CNVD-2024-13539）

Description

MongoDB Server是美国MongoDB公司的一套开源的NoSQL数据库。该数据库提供面向集合的存储、动态查询、数据复制及自动故障转移等功能。 MongoDB Server存在信任管理问题漏洞，该漏洞源于未提供CAFile和clusterCAFile时，服务器会跳过对等证书验证。攻击者可利用该漏洞导致中间人攻击。

Severity

高

Patch Name

MongoDB Server信任管理问题漏洞（CNVD-2024-13539）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://jira.mongodb.org/browse/SERVER-81312?jql=project%20%3D%20SERVER%20AND%20fixVersion%20%3D%207.1.0-rc4

Reference

https://jira.mongodb.org/browse/SERVER-72839

Impacted products

Name
['MongoDB MongoDB Server >=7.0，<=7.0.5', 'MongoDB MongoDB Server >=6.0，<=6.0.13', 'MongoDB MongoDB Server >=5.0，<=5.0.24', 'MongoDB MongoDB Server >=4.4，<=4.4.28']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-1351",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-1351"
    }
  },
  "description": "MongoDB Server\u662f\u7f8e\u56fdMongoDB\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684NoSQL\u6570\u636e\u5e93\u3002\u8be5\u6570\u636e\u5e93\u63d0\u4f9b\u9762\u5411\u96c6\u5408\u7684\u5b58\u50a8\u3001\u52a8\u6001\u67e5\u8be2\u3001\u6570\u636e\u590d\u5236\u53ca\u81ea\u52a8\u6545\u969c\u8f6c\u79fb\u7b49\u529f\u80fd\u3002\n\nMongoDB Server\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u63d0\u4f9bCAFile\u548cclusterCAFile\u65f6\uff0c\u670d\u52a1\u5668\u4f1a\u8df3\u8fc7\u5bf9\u7b49\u8bc1\u4e66\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4e2d\u95f4\u4eba\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://jira.mongodb.org/browse/SERVER-81312?jql=project%20%3D%20SERVER%20AND%20fixVersion%20%3D%207.1.0-rc4",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-13539",
  "openTime": "2024-03-14",
  "patchDescription": "MongoDB Server\u662f\u7f8e\u56fdMongoDB\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684NoSQL\u6570\u636e\u5e93\u3002\u8be5\u6570\u636e\u5e93\u63d0\u4f9b\u9762\u5411\u96c6\u5408\u7684\u5b58\u50a8\u3001\u52a8\u6001\u67e5\u8be2\u3001\u6570\u636e\u590d\u5236\u53ca\u81ea\u52a8\u6545\u969c\u8f6c\u79fb\u7b49\u529f\u80fd\u3002\r\n\r\nMongoDB Server\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u63d0\u4f9bCAFile\u548cclusterCAFile\u65f6\uff0c\u670d\u52a1\u5668\u4f1a\u8df3\u8fc7\u5bf9\u7b49\u8bc1\u4e66\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4e2d\u95f4\u4eba\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "MongoDB Server\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2024-13539\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "MongoDB MongoDB Server \u003e=7.0\uff0c\u003c=7.0.5",
      "MongoDB MongoDB Server \u003e=6.0\uff0c\u003c=6.0.13",
      "MongoDB MongoDB Server \u003e=5.0\uff0c\u003c=5.0.24",
      "MongoDB MongoDB Server \u003e=4.4\uff0c\u003c=4.4.28"
    ]
  },
  "referenceLink": "https://jira.mongodb.org/browse/SERVER-72839",
  "serverity": "\u9ad8",
  "submitTime": "2024-03-12",
  "title": "MongoDB Server\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2024-13539\uff09"
}

GHSA-825C-4W2M-H7FV

Vulnerability from github – Published: 2024-03-07 18:30 – Updated: 2025-02-13 18:32

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-1351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-07T17:15:12Z",
    "severity": "HIGH"
  },
  "details": "Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections  that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.",
  "id": "GHSA-825c-4w2m-h7fv",
  "modified": "2025-02-13T18:32:20Z",
  "published": "2024-03-07T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1351"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-72839"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240524-0010"
    },
    {
      "type": "WEB",
      "url": "https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024"
    },
    {
      "type": "WEB",
      "url": "https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024"
    },
    {
      "type": "WEB",
      "url": "https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024"
    },
    {
      "type": "WEB",
      "url": "https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2024-1351

Vulnerability from fkie_nvd - Published: 2024-03-07 17:15 - Updated: 2025-03-11 16:56

Severity ?

8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cna@mongodb.com	https://jira.mongodb.org/browse/SERVER-72839	Issue Tracking, Patch, Vendor Advisory
cna@mongodb.com	https://security.netapp.com/advisory/ntap-20240524-0010/	Third Party Advisory
cna@mongodb.com	https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024	Broken Link
cna@mongodb.com	https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024	Release Notes
cna@mongodb.com	https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024	Release Notes
cna@mongodb.com	https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://jira.mongodb.org/browse/SERVER-72839	Issue Tracking, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20240524-0010/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024	Release Notes

Impacted products

Vendor	Product	Version
mongodb	mongodb	*
mongodb	mongodb	*
mongodb	mongodb	*
mongodb	mongodb	*
netapp	astra_control_center	-
netapp	ontap_tools	10

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6BEEC634-F69A-404A-A867-F38A31137F31",
              "versionEndExcluding": "4.4.29",
              "versionStartIncluding": "4.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C4D47D83-31AE-459D-B0EC-3F5184EF1912",
              "versionEndExcluding": "5.0.25",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB3D23E4-41F4-4AAF-8B09-401BF735740E",
              "versionEndExcluding": "6.0.14",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D7A1437-1CC0-4ECC-AE42-9F32E84282A5",
              "versionEndExcluding": "7.0.6",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:astra_control_center:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EC5EBD2A-32A3-46D5-B155-B44DCB7F6902",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "5333B745-F7A3-46CB-8437-8668DB08CD6F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections  that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured."
    },
    {
      "lang": "es",
      "value": "Bajo ciertas configuraciones de --tlsCAFile y tls.CAFile, el servidor MongoDB puede omitir la validaci\u00f3n de certificados de pares, lo que puede resultar en conexiones que no son de confianza para tener \u00e9xito. Esto puede reducir efectivamente las garant\u00edas de seguridad proporcionadas por TLS y abrir conexiones que deber\u00edan haberse cerrado debido a una validaci\u00f3n fallida del certificado. Este problema afecta a las versiones de MongoDB Server v7.0 anteriores a 7.0.5 incluida, a las versiones de MongoDB Server v6.0 anteriores a 6.0.13 incluida, a las versiones de MongoDB Server v5.0 anteriores a 5.0.24 incluida y a MongoDB Server v4.4 Versiones anteriores a la 4.4.28 incluida. Configuraci\u00f3n requerida: un proceso de servidor permitir\u00e1 que las conexiones entrantes omitan la validaci\u00f3n del certificado de pares si el proceso del servidor se inici\u00f3 con TLS habilitado (net.tls.mode configurado en enableTLS, preferTLS o requireTLS) y sin un archivo net.tls.CAFile configurado."
    }
  ],
  "id": "CVE-2024-1351",
  "lastModified": "2025-03-11T16:56:35.430",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "cna@mongodb.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-03-07T17:15:12.740",
  "references": [
    {
      "source": "cna@mongodb.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://jira.mongodb.org/browse/SERVER-72839"
    },
    {
      "source": "cna@mongodb.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20240524-0010/"
    },
    {
      "source": "cna@mongodb.com",
      "tags": [
        "Broken Link"
      ],
      "url": "https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024"
    },
    {
      "source": "cna@mongodb.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024"
    },
    {
      "source": "cna@mongodb.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024"
    },
    {
      "source": "cna@mongodb.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://jira.mongodb.org/browse/SERVER-72839"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20240524-0010/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024"
    }
  ],
  "sourceIdentifier": "cna@mongodb.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "cna@mongodb.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-1351 (GCVE-0-2024-1351)

Solution

Solutions

Vulnerability from bitnami_vulndb

Tags

Sightings

Nomenclature