MongoDB Ops Manager bis 4.2.17/4.3.9/4.4.2 API Key Information Disclosure

eintrageditHistoryDiffjsonxmlCTI

In MongoDB Ops Manager bis 4.2.17/4.3.9/4.4.2 (Database Software) wurde eine problematische Schwachstelle gefunden. Dabei geht es um ein unbekannter Prozess der Komponente API Key Handler. Ein Upgrade auf die Version 4.4.3 vermag dieses Problem zu beheben.

Feld	24.11.2020 08:17	10.12.2020 09:15	10.12.2020 09:19
vendor	MongoDB	MongoDB	MongoDB
name	Ops Manager	Ops Manager	Ops Manager
version	<=4.2.17/4.3.9/4.4.2	<=4.2.17/4.3.9/4.4.2	<=4.2.17/4.3.9/4.4.2
component	API Key Handler	API Key Handler	API Key Handler
cwe	200 (Information Disclosure)	200 (Information Disclosure)	200 (Information Disclosure)
risk	1	1	1
cvss3_vuldb_av	N	N	N
cvss3_vuldb_ac	H	H	H
cvss3_vuldb_pr	L	L	L
cvss3_vuldb_ui	N	N	N
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	L	L	L
cvss3_vuldb_i	N	N	N
cvss3_vuldb_a	N	N	N
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	C	C	C
url	https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3	https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3	https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3
name	Upgrade	Upgrade	Upgrade
upgrade_version	4.4.3	4.4.3	4.4.3
cve	CVE-2020-7927	CVE-2020-7927	CVE-2020-7927
date	1606172400 (24.11.2020)	1606172400 (24.11.2020)	1606172400 (24.11.2020)
type	Database Software	Database Software	Database Software
cvss2_vuldb_av	N	N	N
cvss2_vuldb_ac	H	H	H
cvss2_vuldb_ci	P	P	P
cvss2_vuldb_ii	N	N	N
cvss2_vuldb_ai	N	N	N
cvss2_vuldb_rc	C	C	C
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_au	S	S	S
cvss2_vuldb_e	ND	ND	ND
cvss3_vuldb_e	X	X	X
cvss2_vuldb_basescore	2.1	2.1	2.1
cvss2_vuldb_tempscore	2.1	1.8	1.8
cvss3_vuldb_basescore	3.1	3.1	3.1
cvss3_vuldb_tempscore	3.1	3.0	3.0
cvss3_meta_basescore	3.1	3.1	4.8
cvss3_meta_tempscore	3.1	3.0	4.6
price_0day	$0-$5k	$0-$5k	$0-$5k
cve_assigned		1579734000	1579734000
cve_nvd_summary		Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2.	Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2.
confirm_url		https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3	https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3
cvss3_nvd_av			N
cvss3_nvd_ac			L
cvss3_nvd_pr			L
cvss3_nvd_ui			N
cvss3_nvd_s			U
cvss3_nvd_c			H
cvss3_nvd_i			N
cvss3_nvd_a			N
cvss2_nvd_av			N
cvss2_nvd_ac			L
cvss2_nvd_au			S
cvss2_nvd_ci			P
cvss2_nvd_ii			N
cvss2_nvd_ai			N
cve_cna			MongoDB, Inc.
cvss2_nvd_basescore			4.0
cvss3_nvd_basescore			6.5

◂ Zurück Übersicht Weiter ▸

Interested in the pricing of exploits?

See the underground prices here!