Lucene search

[email protected]NVD:CVE-2020-7927

HistoryNov 23, 2020 - 7:15 p.m.

CVE-2020-7927

2020-11-2319:15:11

CWE-648

[email protected]

web.nvd.nist.gov

api calls

authenticated user

organization owner privilege

mongodb ops manager

global role privilege

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2.

Affected configurations

Nvd

Node

mongodbops_managerRange4.2.0–4.2.17

mongodbops_managerRange4.3.0–4.3.9

mongodbops_managerRange4.4.0–4.4.2

References

www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.4.3

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

Related for NVD:CVE-2020-7927

cve1 mongodb1 cvelist1 redhatcve1 prion1