cbcvebase.
CVE-2021-20335
published 2021-02-11

CVE-2021-20335: For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the…

PriorityP420medium4.6CVSS 3.1
AVAACLPRLUINSUCLILAN
EPSS
0.14%
3.7th percentile
For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
mongodbops_manager4.2.0 – 4.2.24
mongodb_incmongodb_ops_manager4.2 – 4.2.24

CVSS provenance

nvdv3.14.6MEDIUMCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvdv2.04.1MEDIUMAV:A/AC:L/Au:S/C:P/I:P/A:N
osv4.6MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.