TLS Certificate Validation Bypass Vulnerability Affects MongoDB Server Versions Prior to 7.0.5, 6.0.13, 5.0.24, and 4.4.28
CVE-2024-1351

8.8HIGH

Key Information:

Vendor: MongoDB
Status: Mongodb Server
Vendor: CVE Published:; 7 March 2024

Summary

A significant vulnerability exists in MongoDB Server where specific configurations of --tlsCAFile and tls.CAFile can result in skipping peer certificate validation. This misconfiguration permits untrusted connections, which poses a substantial risk to overall security by undermining the efficacy of TLS. If the server is initiated with TLS enabled and the appropriate CAFile setting is not configured, it may allow incoming connections that would otherwise be rejected due to failed certificate validation. This flaw affects multiple versions of MongoDB Server across various releases, emphasizing the critical need for correct TLS configurations to maintain secure operations.

Affected Version(s)

MongoDB Server 7.0 <= 7.0.5

MongoDB Server 6.0 <= 6.0.13

MongoDB Server 5.0 <= 5.0.24

References

https://jira.mongodb.org/browse/SERVER-72839

https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0....

release-notes

https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0....

release-notes

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 7, 2024
Vulnerability Reserved
Feb 8, 2024