CVE-2020-7924 - OpenCVE

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mongodb	Database Tools Mongomirror

Configuration 1 [-]

OR	cpe:2.3:a:mongodb:database_tools::::::::
	cpe:2.3:a:mongodb:database_tools::::::::
	cpe:2.3:a:mongodb:database_tools::::::::
	cpe:2.3:a:mongodb:database_tools::::::::
	cpe:2.3:a:mongodb:mongomirror::::::::

References

Link	Resource
https://jira.mongodb.org/browse/TOOLS-2587	Issue Tracking Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mongodb

Published: 2021-04-12T00:00:00

Updated: 2024-02-13T13:12:45.355Z

Reserved: 2020-01-23T00:00:00

Link: CVE-2020-7924

JSON object: View

NVD Information

Status : Modified

Published: 2021-04-12T17:15:13.350

Modified: 2024-02-13T14:15:44.710

Link: CVE-2020-7924

JSON object: View

Redhat Information

No data.

CWE

CWE-295

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Database Tools", "vendor": "MongoDB Inc.", "versions": [{"lessThanOrEqual": "3.6.21", "status": "affected", "version": "3.6.5", "versionType": "custom"}, {"lessThan": "4.0.21", "status": "affected", "version": "4.0", "versionType": "custom"}, {"lessThan": "4.2.11", "status": "affected", "version": "4.2", "versionType": "custom"}, {"lessThan": "100.2.0", "status": "affected", "version": "100", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Mongomirror", "vendor": "MongoDB Inc.", "versions": [{"lessThan": "0*", "status": "affected", "version": "0.6.0", "versionType": "custom"}]}], "datePublic": "2021-04-11T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.</p>"}], "value": "Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-02-13T13:12:45.355Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.mongodb.org/browse/TOOLS-2587"}], "source": {"discovery": "INTERNAL"}, "title": "Specific command line parameter might result in accepting invalid certificate", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@mongodb.com", "DATE_PUBLIC": "2021-04-12T16:00:00.000Z", "ID": "CVE-2020-7924", "STATE": "PUBLIC", "TITLE": "Specific command line parameter might result in accepting invalid certificate"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MongoDB Database Tools", "version": {"version_data": [{"version_affected": ">", "version_name": "3.6", "version_value": "3.6.5"}, {"version_affected": "<", "version_name": "3.6", "version_value": "3.6.21"}, {"version_affected": "<", "version_name": "4.0", "version_value": "4.0.21"}, {"version_affected": "<", "version_name": "4.2", "version_value": "4.2.11"}, {"version_affected": "<", "version_name": "100", "version_value": "100.2.0"}]}}, {"product_name": "Mongomirror", "version": {"version_data": [{"version_affected": ">", "version_name": "0", "version_value": "0.6.0"}]}}]}, "vendor_name": "MongoDB Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295 Improper Certificate Validation"}]}]}, "references": {"reference_data": [{"name": "https://jira.mongodb.org/browse/TOOLS-2587", "refsource": "MISC", "url": "https://jira.mongodb.org/browse/TOOLS-2587"}]}, "source": {"discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "assignerShortName": "mongodb", "cveId": "CVE-2020-7924", "datePublished": "2021-04-12T00:00:00", "dateReserved": "2020-01-23T00:00:00", "dateUpdated": "2024-02-13T13:12:45.355Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:database_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "A0255916-D8D6-4F54-A52E-6851A08A940E", "versionEndExcluding": "3.6.21", "versionStartIncluding": "3.6.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:database_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "46F9093A-A7D0-41E7-99CD-A82ED491CF09", "versionEndExcluding": "4.0.21", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:database_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "3094DE0B-DF1A-45E9-BE6C-E06B19100DAB", "versionEndExcluding": "4.2.11", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:database_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "3309683F-1145-429F-A7C5-077CA01FD6F4", "versionEndExcluding": "100.2.0", "versionStartIncluding": "100.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongomirror:*:*:*:*:*:*:*:*", "matchCriteriaId": "04758A73-E28C-4DE1-B651-0B1FD692868F", "versionEndExcluding": "0.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.\n\n"}, {"lang": "es", "value": "El uso de un par\u00e1metro de l\u00ednea de comando espec\u00edfico en MongoDB Tools, que originalmente estaba destinado a omitir las comprobaciones de nombre de host, puede resultar que MongoDB omita toda la comprobaci\u00f3n de certificados. Esto puede resultar en la aceptaci\u00f3n de certificados no v\u00e1lidos. Este problema afecta a: MongoDB Inc. MongoDB Database Tools versiones 3.6 posteriores a 3.6.5; versiones 3.6 anteriores a 3.6.21; versiones 4.0 anteriores a 4.0.21; versiones 4.2 anteriores a 4.2.11; versiones 100 versiones anteriores a 100.2.0. MongoDB Inc. Mongomirror versiones 0 posteriores a 0.6.0"}], "id": "CVE-2020-7924", "lastModified": "2024-02-13T14:15:44.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2021-04-12T17:15:13.350", "references": [{"source": "cna@mongodb.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/TOOLS-2587"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "cna@mongodb.com", "type": "Secondary"}]}