Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager
CVE-2023-4009

7.2HIGH

Key Information:

Vendor: MongoDB
Status: Mongodb Ops Manager
Vendor: CVE Published:; 8 August 2023

What is CVE-2023-4009?

An authenticated user with project owner or project user admin access in MongoDB Ops Manager versions prior to 5.0.22 and 6.0.17 can exploit a vulnerability to generate an API key with org owner privileges. This allows for unauthorized access and potential manipulation of data, posing a significant security risk. Organizations using affected versions should promptly update to mitigate this concern.

Affected Version(s)

MongoDB Ops Manager 6.0 < 6.0.17

MongoDB Ops Manager 5.0 < 5.0.22

References

https://www.mongodb.com/docs/ops-manager/current/release-...

https://www.mongodb.com/docs/ops-manager/v5.0/release-not...

https://security.netapp.com/advisory/ntap-20230831-0013/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 8, 2023
Vulnerability Reserved
Jul 31, 2023