CVE-2021-20334

EPSS 0.1%
Published 06.04.2021 17:15:12
Last modified 21.11.2024 05:46:24
Source cna@mongodb.com
Teams watchlist Login
Open Login

A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x versions prior to 1.25.0 on Windows.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Mongodb ≫ Compass Version >= 1.3.0 < 1.25.0

Microsoft ≫ Windows Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.242

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P
cna@mongodb.com	4.8	1.3	3.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://jira.mongodb.org/browse/COMPASS-4510

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-20334

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-20334

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-20334

EUVD