{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Database Tools", "vendor": "MongoDB Inc.", "versions": [{"lessThanOrEqual": "3.6.21", "status": "affected", "version": "3.6.5", "versionType": "custom"}, {"lessThan": "4.0.21", "status": "affected", "version": "4.0", "versionType": "custom"}, {"lessThan": "4.2.11", "status": "affected", "version": "4.2", "versionType": "custom"}, {"lessThan": "100.2.0", "status": "affected", "version": "100", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Mongomirror", "vendor": "MongoDB Inc.", "versions": [{"lessThan": "0*", "status": "affected", "version": "0.6.0", "versionType": "custom"}]}], "datePublic": "2021-04-11T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.</p>"}], "value": "Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-02-13T13:12:45.355Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.mongodb.org/browse/TOOLS-2587"}], "source": {"discovery": "INTERNAL"}, "title": "Specific command line parameter might result in accepting invalid certificate", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@mongodb.com", "DATE_PUBLIC": "2021-04-12T16:00:00.000Z", "ID": "CVE-2020-7924", "STATE": "PUBLIC", "TITLE": "Specific command line parameter might result in accepting invalid certificate"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MongoDB Database Tools", "version": {"version_data": [{"version_affected": ">", "version_name": "3.6", "version_value": "3.6.5"}, {"version_affected": "<", "version_name": "3.6", "version_value": "3.6.21"}, {"version_affected": "<", "version_name": "4.0", "version_value": "4.0.21"}, {"version_affected": "<", "version_name": "4.2", "version_value": "4.2.11"}, {"version_affected": "<", "version_name": "100", "version_value": "100.2.0"}]}}, {"product_name": "Mongomirror", "version": {"version_data": [{"version_affected": ">", "version_name": "0", "version_value": "0.6.0"}]}}]}, "vendor_name": "MongoDB Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295 Improper Certificate Validation"}]}]}, "references": {"reference_data": [{"name": "https://jira.mongodb.org/browse/TOOLS-2587", "refsource": "MISC", "url": "https://jira.mongodb.org/browse/TOOLS-2587"}]}, "source": {"discovery": "INTERNAL"}}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-30T17:00:33.949728Z", "id": "CVE-2020-7924", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T17:00:41.020Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:23.816Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.mongodb.org/browse/TOOLS-2587"}]}]}, "cveMetadata": {"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "assignerShortName": "mongodb", "cveId": "CVE-2020-7924", "datePublished": "2021-04-12T16:25:11.147020Z", "dateReserved": "2020-01-23T00:00:00", "dateUpdated": "2024-09-16T16:28:23.095Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://jira.mongodb.org/browse/TOOLS-2587", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:23.816Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-7924", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-30T17:00:33.949728Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T17:00:38.307Z"}}], "cna": {"title": "Specific command line parameter might result in accepting invalid certificate", "source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MongoDB Inc.", "product": "MongoDB Database Tools", "versions": [{"status": "affected", "version": "3.6.5", "versionType": "custom", "lessThanOrEqual": "3.6.21"}, {"status": "affected", "version": "4.0", "lessThan": "4.0.21", "versionType": "custom"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.11", "versionType": "custom"}, {"status": "affected", "version": "100", "lessThan": "100.2.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "MongoDB Inc.", "product": "Mongomirror", "versions": [{"status": "affected", "version": "0.6.0", "lessThan": "0*", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2021-04-11T23:00:00.000Z", "references": [{"url": "https://jira.mongodb.org/browse/TOOLS-2587", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.", "supportingMedia": [{"type": "text/html", "value": "<p>Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-02-13T13:12:45.355Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, "source": {"discovery": "INTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "3.6", "version_value": "3.6.5", "version_affected": ">"}, {"version_name": "3.6", "version_value": "3.6.21", "version_affected": "<"}, {"version_name": "4.0", "version_value": "4.0.21", "version_affected": "<"}, {"version_name": "4.2", "version_value": "4.2.11", "version_affected": "<"}, {"version_name": "100", "version_value": "100.2.0", "version_affected": "<"}]}, "product_name": "MongoDB Database Tools"}, {"version": {"version_data": [{"version_name": "0", "version_value": "0.6.0", "version_affected": ">"}]}, "product_name": "Mongomirror"}]}, "vendor_name": "MongoDB Inc."}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://jira.mongodb.org/browse/TOOLS-2587", "name": "https://jira.mongodb.org/browse/TOOLS-2587", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295 Improper Certificate Validation"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-7924", "STATE": "PUBLIC", "TITLE": "Specific command line parameter might result in accepting invalid certificate", "ASSIGNER": "cna@mongodb.com", "DATE_PUBLIC": "2021-04-12T16:00:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2020-7924", "state": "PUBLISHED", "dateUpdated": "2024-09-16T16:28:23.095Z", "dateReserved": "2020-01-23T00:00:00", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "datePublished": "2021-04-12T16:25:11.147020Z", "assignerShortName": "mongodb"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:database_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "A0255916-D8D6-4F54-A52E-6851A08A940E", "versionEndExcluding": "3.6.21", "versionStartIncluding": "3.6.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:database_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "46F9093A-A7D0-41E7-99CD-A82ED491CF09", "versionEndExcluding": "4.0.21", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:database_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "3094DE0B-DF1A-45E9-BE6C-E06B19100DAB", "versionEndExcluding": "4.2.11", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:database_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "3309683F-1145-429F-A7C5-077CA01FD6F4", "versionEndExcluding": "100.2.0", "versionStartIncluding": "100.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongomirror:*:*:*:*:*:*:*:*", "matchCriteriaId": "04758A73-E28C-4DE1-B651-0B1FD692868F", "versionEndExcluding": "0.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0."}, {"lang": "es", "value": "El uso de un par\u00e1metro de l\u00ednea de comando espec\u00edfico en MongoDB Tools, que originalmente estaba destinado a omitir las comprobaciones de nombre de host, puede resultar que MongoDB omita toda la comprobaci\u00f3n de certificados.&#xa0;Esto puede resultar en la aceptaci\u00f3n de certificados no v\u00e1lidos. Este problema afecta a: MongoDB Inc. MongoDB Database Tools versiones 3.6 posteriores a 3.6.5;&#xa0;versiones 3.6 anteriores a 3.6.21;&#xa0;versiones 4.0 anteriores a 4.0.21;&#xa0;versiones 4.2 anteriores a 4.2.11;&#xa0;versiones 100 versiones anteriores a 100.2.0.&#xa0;MongoDB Inc. Mongomirror versiones 0 posteriores a 0.6.0"}], "id": "CVE-2020-7924", "lastModified": "2024-11-21T05:38:01.257", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "cna@mongodb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-12T17:15:13.350", "references": [{"source": "cna@mongodb.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/TOOLS-2587"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/TOOLS-2587"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "cna@mongodb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mongodb: sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely", "id": "1948726", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948726"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.", "A validation flaw was found in mongodb. Due to the incorrect behavior of a specific command-line parameter in MongoDB Tools, which was originally intended to just skip hostname checks, all certificate validations by MongoDB could be skipped. The highest threat from this vulnerability is to data integrity."], "name": "CVE-2020-7924", "package_state": [{"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "mongodb", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-mongodb36-mongodb", "product_name": "Red Hat Software Collections"}], "public_date": "2021-04-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-7924\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7924\nhttps://jira.mongodb.org/browse/TOOLS-2587"], "statement": "In Red Hat OpenStack Platform, because the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP mongodb package.", "threat_severity": "Moderate"}