CVE-2024-1351

CWE-295Improper Certificate Validation5 documents5 sources
Severity
9.8CRITICAL
EPSS
0.2%
top 51.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mongodb MongodbMongodb INC Mongodb ServerNetapp Ontap Tools
Timeline
PublishedMar 7
Latest updateJul 30

Description

Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to a

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5mongodb_inc/mongodb_server7.07.0.5+3
NVDmongodb/mongodb4.4.04.4.29+3

Also affects: Ontap Tools 10

Patches

Patch: jira.mongodb.orgPatch: jira.mongodb.org

🔴Vulnerability Details

3
CVEList
MongoDB Server may allow successful untrusted connection2024-03-07
GHSA
GHSA-825c-4w2m-h7fv: Under certain configurations of --tlsCAFile and tls2024-03-07
OSV
CVE-2024-1351: Under certain configurations of --tlsCAFile and tls2024-03-07

📋Vendor Advisories

1
Red Hat
kernel: Bluetooth: ISO: Check socket flag instead of hcon2024-07-30
CVE-2024-1351 (CRITICAL CVSS 9.8) | Under certain configurations of --t | cvebase.io