CVE-2021-20334Improper Privilege Management in INC Mongodb Compass

CWE-269Improper Privilege Management3 documents3 sources
Severity
7.8HIGHNVD
CNA4.8
EPSS
0.1%
top 73.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC Mongodb CompassMongodb Compass
Timeline
PublishedApr 6
Latest updateMay 24

Description

A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x versions prior to 1.25.0 on Windows.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDmongodb/compass1.3.01.25.0
CVEListV5mongodb_inc/mongodb_compass1.3.01.x*

🔴Vulnerability Details

2
GHSA
GHSA-9567-49v2-4jq6: A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges o2022-05-24
CVEList
Local privilege escalation in MongoDB Compass for Windows2021-04-06
CVE-2021-20334 — Improper Privilege Management | cvebase