OpenCVE

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate. This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Apple	Macos
Microsoft	Windows
Mongodb	Mongodb

Configuration 1 [-]

AND

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

OR	cpe:2.3:a:mongodb:mongodb::::::::
	cpe:2.3:a:mongodb:mongodb::::::::
	cpe:2.3:a:mongodb:mongodb::::::::
	cpe:2.3:a:mongodb:mongodb::::::::

No data.

References

Link	Providers
https://jira.mongodb.org/browse/SERVER-73662
https://jira.mongodb.org/browse/SERVER-77028
https://security.netapp.com/advisory/ntap-20230921-0007/

History

Wed, 02 Oct 2024 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mongodb

Published: 2023-08-23T15:21:43.150Z

Updated: 2024-10-02T18:57:17.819Z

Reserved: 2023-03-15T10:43:39.990Z

Link: CVE-2023-1409

Vulnrichment

Updated: 2024-08-02T05:49:11.303Z

NVD

Status : Modified

Published: 2023-08-23T16:15:08.167

Modified: 2023-09-21T17:15:15.390

Link: CVE-2023-1409

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1409", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "state": "PUBLISHED", "assignerShortName": "mongodb", "dateReserved": "2023-03-15T10:43:39.990Z", "datePublished": "2023-08-23T15:21:43.150Z", "dateUpdated": "2024-10-02T18:57:17.819Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Server", "vendor": "MongoDB Inc", "versions": [{"lessThanOrEqual": "6.3.2", "status": "affected", "version": "6.3", "versionType": "custom"}, {"lessThanOrEqual": "5.0.14", "status": "affected", "version": "5.0", "versionType": "custom"}, {"lessThanOrEqual": "4.4.23", "status": "affected", "version": "4.4", "versionType": "custom"}]}], "datePublic": "2023-08-23T16:18:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.</p><p>This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.</p>"}], "value": "If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.\n\nThis issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2023-08-23T15:21:43.150Z"}, "references": [{"url": "https://jira.mongodb.org/browse/SERVER-73662"}, {"url": "https://jira.mongodb.org/browse/SERVER-77028"}, {"url": "https://security.netapp.com/advisory/ntap-20230921-0007/"}], "source": {"discovery": "INTERNAL"}, "title": "Certificate validation issue in MongoDB Server running on Windows or macOS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:49:11.303Z"}, "title": "CVE Program Container", "references": [{"url": "https://jira.mongodb.org/browse/SERVER-73662", "tags": ["x_transferred"]}, {"url": "https://jira.mongodb.org/browse/SERVER-77028", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230921-0007/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-02T18:57:05.773205Z", "id": "CVE-2023-1409", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-02T18:57:17.819Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://jira.mongodb.org/browse/SERVER-73662", "tags": ["x_transferred"]}, {"url": "https://jira.mongodb.org/browse/SERVER-77028", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230921-0007/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:49:11.303Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-1409", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-02T18:57:05.773205Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-02T18:57:12.865Z"}}], "cna": {"title": "Certificate validation issue in MongoDB Server running on Windows or macOS", "source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MongoDB Inc", "product": "MongoDB Server", "versions": [{"status": "affected", "version": "6.3", "versionType": "custom", "lessThanOrEqual": "6.3.2"}, {"status": "affected", "version": "5.0", "versionType": "custom", "lessThanOrEqual": "5.0.14"}, {"status": "affected", "version": "4.4", "versionType": "custom", "lessThanOrEqual": "4.4.23"}], "defaultStatus": "unaffected"}], "datePublic": "2023-08-23T16:18:00.000Z", "references": [{"url": "https://jira.mongodb.org/browse/SERVER-73662"}, {"url": "https://jira.mongodb.org/browse/SERVER-77028"}, {"url": "https://security.netapp.com/advisory/ntap-20230921-0007/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.\n\nThis issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.</p><p>This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2023-08-23T15:21:43.150Z"}}}, "cveMetadata": {"cveId": "CVE-2023-1409", "state": "PUBLISHED", "dateUpdated": "2024-10-02T18:57:17.819Z", "dateReserved": "2023-03-15T10:43:39.990Z", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "datePublished": "2023-08-23T15:21:43.150Z", "assignerShortName": "mongodb"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "8FB74004-16AF-45A0-B0CF-01F9E9BD9E42", "versionEndExcluding": "4.4.23", "versionStartIncluding": "4.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "E31A2BB4-0F80-4279-BA4A-E19A73EF4532", "versionEndIncluding": "5.0.14", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "86EBA767-37C3-42D3-91CC-FB816C097399", "versionEndExcluding": "6.0.7", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "D9293CA6-B1FF-4602-AECD-5E7025AF2894", "versionEndIncluding": "6.3.2", "versionStartIncluding": "6.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.\n\nThis issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.\n\n"}], "id": "CVE-2023-1409", "lastModified": "2023-09-21T17:15:15.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2023-08-23T16:15:08.167", "references": [{"source": "cna@mongodb.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/SERVER-73662"}, {"source": "cna@mongodb.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/SERVER-77028"}, {"source": "cna@mongodb.com", "url": "https://security.netapp.com/advisory/ntap-20230921-0007/"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "cna@mongodb.com", "type": "Secondary"}]}