CVE-2023-1409 Certificate validation issue in MongoDB Server running on Windows or macOS

2023-08-2315:21:43

CWE-295

mongodb

www.cve.org

mongodb

windows

macos

tls

certificate validation

security issue

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

35.3%

JSON

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.

This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "MongoDB Server",
    "vendor": "MongoDB Inc",
    "versions": [
      {
        "lessThanOrEqual": "6.3.2",
        "status": "affected",
        "version": "6.3",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "5.0.14",
        "status": "affected",
        "version": "5.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "4.4.23",
        "status": "affected",
        "version": "4.4",
        "versionType": "custom"
      }
    ]
  }
]