CVE-2020-7927
published 2020-11-23CVE-2020-7927: Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue…
PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
1.03%
59.4th percentile
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | ops_manager | 4.2.0 – 4.2.17 | — |
| mongodb | ops_manager | 4.3.0 – 4.3.9 | — |
| mongodb | ops_manager | 4.4.0 – 4.4.2 | — |
| mongodb_inc | mongodb_ops_manager | 4.2 – 4.2.17 | — |
| mongodb_inc | mongodb_ops_manager | 4.3 – 4.3.9 | — |
| mongodb_inc | mongodb_ops_manager | 4.4 – 4.4.2 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mongodb: Privilege escalation via crafted API calls
vendor_redhat·2020-11-24·CVSS 8.1
CVE-2020-7927 [HIGH] CWE-648 mongodb: Privilege escalation via crafted API calls
mongodb: Privilege escalation via crafted API calls
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2.
Package: mongodb (Red Hat Advanced Cluster Management for Kubernetes 2) - Not affected
Package: mongodb (Red Hat OpenStack Platform 10 (Newton)) - Out of support scope
Package: rh-mongodb36-mongodb (Red Hat Software Collections) - Not affected
Package: mongodb (Red Hat Update Infrastructure 3 for Cloud Providers) - Not affected
GHSA
GHSA-8v6g-rf54-42cg: Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege
ghsa_unreviewed·2022-05-24
CVE-2020-7927 [MEDIUM] CWE-648 GHSA-8v6g-rf54-42cg: Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-11-23
Published