CVE-2023-4009

EPSS 0.14%
Veröffentlicht 08.08.2023 09:15:11
Zuletzt bearbeitet 13.02.2025 17:17:14
Quelle cna@mongodb.com
Teams Watchlist Login
Unerledigt Login

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mongodb ≫ Ops Manager Server Version >= 5.0.0 < 5.0.22

Mongodb ≫ Ops Manager Server Version >= 6.0.0 < 6.0.17

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.345

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cna@mongodb.com	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-648 Incorrect Use of Privileged APIs

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

https://security.netapp.com/advisory/ntap-20230831-0013/

https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0

Vendor Advisory

https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-4009

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-4009

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-4009

EUVD