9.8

CVE-2024-1351

EPSS 0.2%
Published 07.03.2024 17:15:12
Last modified 11.03.2025 16:56:35
Source cna@mongodb.com
Teams watchlist Login
Open Login

Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections  that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.

Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.

Affected products Warnungen 0 Metrics 3 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Mongodb ≫ Mongodb Version >= 4.4.0 < 4.4.29

Mongodb ≫ Mongodb Version >= 5.0.0 < 5.0.25

Mongodb ≫ Mongodb Version >= 6.0.0 < 6.0.14

Mongodb ≫ Mongodb Version >= 7.0.0 < 7.0.6

Netapp ≫ Astra Control Center Version-

Netapp ≫ Ontap Tools Version10 SwPlatformvmware_vsphere

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.2%	0.423

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cna@mongodb.com	8.8	2.8	5.9	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://jira.mongodb.org/browse/SERVER-72839

Patch

Vendor Advisory

Issue Tracking

https://security.netapp.com/advisory/ntap-20240524-0010/

Third Party Advisory

https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024

Broken Link

https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024

Release Notes

https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024

Release Notes

https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2024-1351

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1351

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1351

EUVD