Ubuntu.comUB:CVE-2024-1351CVE-2024-1351
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.5%
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server
may skip peer certificate validation which may result in untrusted
connections to succeed. This may effectively reduce the security guarantees
provided by TLS and open connections that should have been closed due to
failing certificate validation. This issue affects MongoDB Server v7.0
versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior
to and including 6.0.13, MongoDB Server v5.0 versions prior to and
including 5.0.24 and MongoDB Server v4.4 versions prior to and including
4.4.28. Required Configuration : A server process will allow incoming
connections to skip peer certificate validation if the server process was
started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or
requireTLS) and without a net.tls.CAFile configured.
References
jira.mongodb.org/browse/SERVER-72839
launchpad.net/bugs/cve/CVE-2024-1351
nvd.nist.gov/vuln/detail/CVE-2024-1351
security-tracker.debian.org/tracker/CVE-2024-1351
www.cve.org/CVERecord?id=CVE-2024-1351
www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024
www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024
www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024
www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024
Related
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.5%