CVE-2021-20335

EPSS 0.06%
Veröffentlicht 11.02.2021 10:15:12
Zuletzt bearbeitet 21.11.2024 05:46:25
Quelle cna@mongodb.com
Teams Watchlist Login
Unerledigt Login

For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mongodb ≫ Ops Manager Version >= 4.2.0 <= 4.2.24

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.142

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.6	2.1	2.5	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvd@nist.gov	4.1	5.1	4.9	AV:A/AC:L/Au:S/C:P/I:P/A:N
cna@mongodb.com	6.7	1.5	5.2	CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-20335

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-20335

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-20335

EUVD