CVE-2020-7921 - OpenCVE

Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mongodb	Mongodb

Configuration 1 [-]

OR	cpe:2.3:a:mongodb:mongodb::::::::
	cpe:2.3:a:mongodb:mongodb::::::::
	cpe:2.3:a:mongodb:mongodb::::::::
	cpe:2.3:a:mongodb:mongodb::::::::

No data.

References

Link	Providers
https://jira.mongodb.org/browse/SERVER-45472
https://nvd.nist.gov/vuln/detail/CVE-2020-7921
https://www.cve.org/CVERecord?id=CVE-2020-7921
https://www.mongodb.com/alerts#security-related

History

No history.

MITRE

Status: PUBLISHED

Assigner: mongodb

Published: 2020-05-06T14:55:12

Updated: 2024-08-04T09:48:23.861Z

Reserved: 2020-01-23T00:00:00

Link: CVE-2020-7921

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-05-06T15:15:11.880

Modified: 2024-01-23T15:15:11.537

Link: CVE-2020-7921

Redhat

Severity : Moderate

Publid Date: 2020-06-05T00:00:00Z

Links: CVE-2020-7921 - Bugzilla

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Server", "vendor": "MongoDB Inc.", "versions": [{"lessThan": "4.2.3", "status": "affected", "version": "4.2", "versionType": "custom"}, {"lessThan": "4.0.15", "status": "affected", "version": "4.0", "versionType": "custom"}, {"lessThan": "3.6.18", "status": "affected", "version": "3.6", "versionType": "custom"}, {"lessThan": "4.3.3", "status": "affected", "version": "4.3", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Discovered by Tony Yesudas."}], "datePublic": "2020-05-06T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p><p>Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.</p><p></p>"}], "value": "\nImproper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-182", "description": "CWE-182: Collapse of Data into Unsafe Value", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T15:07:03.921Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.mongodb.org/browse/SERVER-45472"}], "source": {"defect": ["SECURITY-625"], "discovery": "USER"}, "title": "Administrative action may disable enforcement of per-user IP whitelisting", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@mongodb.com", "ID": "CVE-2020-7921", "STATE": "PUBLIC", "TITLE": "Administrative action may disable enforcement of per-user IP whitelisting"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MongoDB Server", "version": {"version_data": [{"version_affected": "<", "version_name": "4.2", "version_value": "4.2.3"}, {"version_affected": "<", "version_name": "4.0", "version_value": "4.0.15"}, {"version_affected": "<", "version_name": "3.6", "version_value": "3.6.18"}, {"version_affected": "<", "version_name": "4.3", "version_value": "4.3.3"}]}}]}, "vendor_name": "MongoDB Inc."}]}}, "credit": [{"lang": "eng", "value": "Discovered by Tony Yesudas."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-182"}]}]}, "references": {"reference_data": [{"name": "https://jira.mongodb.org/browse/SERVER-45472", "refsource": "MISC", "url": "https://jira.mongodb.org/browse/SERVER-45472"}]}, "source": {"defect": ["SECURITY-625"], "discovery": "USER"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:23.861Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.mongodb.org/browse/SERVER-45472"}]}]}, "cveMetadata": {"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "assignerShortName": "mongodb", "cveId": "CVE-2020-7921", "datePublished": "2020-05-06T14:55:12", "dateReserved": "2020-01-23T00:00:00", "dateUpdated": "2024-08-04T09:48:23.861Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "072568FB-8F07-45D9-9012-DE87879E79BC", "versionEndExcluding": "3.6.18", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8A24751-DF25-420F-95BA-39AC0528A61B", "versionEndExcluding": "4.0.15", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "8DF922DE-9B3A-4F75-86BE-D6883BD3BD5B", "versionEndExcluding": "4.2.3", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4258F05-4F2F-4F94-BDB5-2481D1A597AE", "versionEndExcluding": "4.3.3", "versionStartIncluding": "4.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\nImproper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.\n\n\n\n"}, {"lang": "es", "value": "Una serializaci\u00f3n inapropiada del estado interno en el subsistema de autorizaci\u00f3n en el subsistema de autorizaci\u00f3n en MongoDB Server, permite a un usuario con credenciales no v\u00e1lidas omitir los mecanismos de protecci\u00f3n de lista blanca de IP despu\u00e9s de una acci\u00f3n administrativa. Este problema afecta a: MongoDB Inc. MongoDB Server versiones 4.2 anteriores a 4.2.3; versiones 4.0 anteriores a 4.0.15; versiones 4.3 anteriores a 4.3.3; versiones 3.6 anteriores a 3.6.18."}], "id": "CVE-2020-7921", "lastModified": "2024-01-23T15:15:11.537", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2020-05-06T15:15:11.880", "references": [{"source": "cna@mongodb.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/SERVER-45472"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-182"}], "source": "cna@mongodb.com", "type": "Secondary"}]}

{"bugzilla": {"description": "mongodb: Improper serialization permits bypass of IP based authentication restrictions", "id": "1848563", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848563"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-863", "details": ["Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.", "A vulnerability was discovered in MongoDB, where an update operation on a user-define role clears the authenticationRestrictions field that was previously set. This unexpected behavior may remove previous IP based restrictions configured on a role, thus allowing a user to bypass them once the update operation is performed."], "mitigation": {"lang": "en:us", "value": "There is no known mitigation for this issue, the flaw can only be resolved by applying updates."}, "name": "CVE-2020-7921", "package_state": [{"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "mongodb", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite-capsule:mongodb", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-mongodb34-mongodb", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-mongodb36-mongodb", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Not affected", "package_name": "mongodb", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2020-06-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-7921\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7921\nhttps://www.mongodb.com/alerts#security-related"], "statement": "Red Hat Satellite 6.6 onward does not ship the MongoDB package; however, the product consumes MongoDB from Red Hat Software Collections (RHSCL) for Red Hat Enterprise Linux. Satellite has no plans to update to a version of MongoDB released with a Server Side Public License (SSPL) which includes all versions released after October 16, 2018. Refer to this article for more information: https://access.redhat.com/articles/5767021\nThis issue did not affect the versions of mongodb as shipped with Red Hat Update Infrastructure 3 as they did not include support for authenticationRestrictions field in roles.", "threat_severity": "Moderate", "upstream_fix": "mongodb 3.6.18, mongodb 4.0.15, mongodb 4.2.3, mongodb 4.3.3"}