Improper Authentication in MongoDB Server on Linux with TLS Configuration
CVE-2025-3085
8.1HIGH
Summary
An improper authentication vulnerability exists in MongoDB Server when running on Linux with TLS enabled and CRL revocation status checking engaged. Under certain conditions, the server fails to verify the revocation status of intermediate certificates in the peer’s certificate chain. This could lead to unauthorized access, particularly when MONGODB-X509 authentication is implemented, which is not enabled by default. The issue also poses a risk to intra-cluster authentication, making it crucial for organizations to ensure that their MongoDB Servers are updated and properly configured.
Affected Version(s)
MongoDB Server 5.0 < 5.0.31
MongoDB Server 6.0 < 6.0.20
MongoDB Server 7.0 < 7.0.16
References
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved