CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0436 – Secret logging may occur in debug mode of Atlas Operator
https://notcve.org/view.php?id=CVE-2023-0436
The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0. Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version. Required Configuration: DEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 ) Las versiones afectadas de MongoDB Atlas Kubernetes Operator pueden imprimir información confidencial, como claves de cuenta de servicio de GCP y secretos de integración de API, mientras el registro en modo DEBUG está habilitado. Este problema afecta a las versiones de MongoDB Atlas Kubernetes Operador: 1.5.0, 1.6.0, 1.6.1, 1.7.0. • https://github.com/mongodb/mongodb-atlas-kubernetes/releases/tag/v1.7.1 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2021-32050 – Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application
https://notcve.org/view.php?id=CVE-2021-32050
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0). • https://jira.mongodb.org/browse/CDRIVER-3797 https://jira.mongodb.org/browse/CXX-2028 https://jira.mongodb.org/browse/NODE-3356 https://jira.mongodb.org/browse/PHPC-1869 https://jira.mongodb.org/browse/SWIFT-1229 https://security.netapp.com/advisory/ntap-20231006-0001 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-1409 – Certificate validation issue in MongoDB Server running on Windows or macOS
https://notcve.org/view.php?id=CVE-2023-1409
If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate. This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions. • https://jira.mongodb.org/browse/SERVER-73662 https://jira.mongodb.org/browse/SERVER-77028 https://security.netapp.com/advisory/ntap-20230921-0007 • CWE-295: Improper Certificate Validation •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2023-4009 – Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager
https://notcve.org/view.php?id=CVE-2023-4009
In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation. • https://security.netapp.com/advisory/ntap-20230831-0013 https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0 https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22 • CWE-269: Improper Privilege Management CWE-648: Incorrect Use of Privileged APIs •
CVSS: 5.3EPSS: 1%CPEs: 2EXPL: 0CVE-2023-0342 – MongoDB Ops Manager may disclose sensitive information in Diagnostic Archive
https://notcve.org/view.php?id=CVE-2023-0342
MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12 • https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-5-0-21 https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0-12 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •