MongoDB Ops Manager bis 4.2.17/4.3.9/4.4.2 API Key Information Disclosure

eintrageditHistoryDiffjsonxmlCTI

In MongoDB Ops Manager bis 4.2.17/4.3.9/4.4.2 (Database Software) wurde eine problematische Schwachstelle gefunden. Dabei geht es um ein unbekannter Prozess der Komponente API Key Handler. Ein Upgrade auf die Version 4.4.3 vermag dieses Problem zu beheben.

Feld24.11.2020 08:1710.12.2020 09:1510.12.2020 09:19
vendorMongoDBMongoDBMongoDB
nameOps ManagerOps ManagerOps Manager
version<=4.2.17/4.3.9/4.4.2<=4.2.17/4.3.9/4.4.2<=4.2.17/4.3.9/4.4.2
componentAPI Key HandlerAPI Key HandlerAPI Key Handler
cwe200 (Information Disclosure)200 (Information Disclosure)200 (Information Disclosure)
risk111
cvss3_vuldb_avNNN
cvss3_vuldb_acHHH
cvss3_vuldb_prLLL
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iNNN
cvss3_vuldb_aNNN
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
urlhttps://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3
nameUpgradeUpgradeUpgrade
upgrade_version4.4.34.4.34.4.3
cveCVE-2020-7927CVE-2020-7927CVE-2020-7927
date1606172400 (24.11.2020)1606172400 (24.11.2020)1606172400 (24.11.2020)
typeDatabase SoftwareDatabase SoftwareDatabase Software
cvss2_vuldb_avNNN
cvss2_vuldb_acHHH
cvss2_vuldb_ciPPP
cvss2_vuldb_iiNNN
cvss2_vuldb_aiNNN
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_auSSS
cvss2_vuldb_eNDNDND
cvss3_vuldb_eXXX
cvss2_vuldb_basescore2.12.12.1
cvss2_vuldb_tempscore2.11.81.8
cvss3_vuldb_basescore3.13.13.1
cvss3_vuldb_tempscore3.13.03.0
cvss3_meta_basescore3.13.14.8
cvss3_meta_tempscore3.13.04.6
price_0day$0-$5k$0-$5k$0-$5k
cve_assigned15797340001579734000
cve_nvd_summarySpecially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2.Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2.
confirm_urlhttps://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prL
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iN
cvss3_nvd_aN
cvss2_nvd_avN
cvss2_nvd_acL
cvss2_nvd_auS
cvss2_nvd_ciP
cvss2_nvd_iiN
cvss2_nvd_aiN
cve_cnaMongoDB, Inc.
cvss2_nvd_basescore4.0
cvss3_nvd_basescore6.5

Interested in the pricing of exploits?

See the underground prices here!