Lucene search

[email protected]NVD:CVE-2023-1409

HistoryAug 23, 2023 - 4:15 p.m.

CVE-2023-1409

2023-08-2316:15:08

CWE-295

[email protected]

web.nvd.nist.gov

mongodb

tls

certificate validation

bypass

cve-2023-1409

windows

macos

v6.3

v5.0

v4.4

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

35.3%

JSON

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.

This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.

Affected configurations

Nvd

Node

applemacosMatch-

microsoftwindowsMatch-

AND

mongodbmongodbRange4.4.0–4.4.23

mongodbmongodbRange5.0.0–5.0.14

mongodbmongodbRange6.0.0–6.0.7

mongodbmongodbRange6.3.0–6.3.2

VendorProductVersionCPE
applemacos-cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
microsoftwindows-cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
mongodbmongodb*cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apple	macos	-	cpe:2.3:o:apple:macos:-:::::::*
microsoft	windows	-	cpe:2.3:o:microsoft:windows:-:::::::*
mongodb	mongodb	*	cpe:2.3:a:mongodb:mongodb::::::::