CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3371 – Insufficient validation of external input in Compass may enable MITM attacks
https://notcve.org/view.php?id=CVE-2024-3371
MongoDB Compass may accept and use insufficiently validated input from an untrusted external source. This may cause unintended application behavior, including data disclosure and enabling attackers to impersonate users. This issue affects MongoDB Compass versions 1.35.0 to 1.42.0. MongoDB Compass puede aceptar y utilizar entradas no suficientemente validadas de una fuente externa que no sea de confianza. Esto puede provocar un comportamiento no deseado de la aplicación, incluida la divulgación de datos y permitir que los atacantes se hagan pasar por usuarios. • https://jira.mongodb.org/browse/COMPASS-7260 • CWE-360: Trust of System Event Data •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1351 – MongoDB Server may allow successful untrusted connection
https://notcve.org/view.php?id=CVE-2024-1351
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28. Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured. Bajo ciertas configuraciones de --tlsCAFile y tls.CAFile, el servidor MongoDB puede omitir la validación de certificados de pares, lo que puede resultar en conexiones que no son de confianza para tener éxito. Esto puede reducir efectivamente las garantías de seguridad proporcionadas por TLS y abrir conexiones que deberían haberse cerrado debido a una validación fallida del certificado. • https://jira.mongodb.org/browse/SERVER-72839 https://security.netapp.com/advisory/ntap-20240524-0010 https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024 https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024 https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024 https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0437 – MongoDB client C Driver may infinitely loop when validating certain BSON input data
https://notcve.org/view.php?id=CVE-2023-0437
When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0. Al llamar a bson_utf8_validate en algunas entradas puede ocurrir un bucle con una condición de salida que no se puede alcanzar, es decir, un bucle infinito. Este problema afecta a All MongoDB C Driver anteriores a la versión 1.25.0. • https://jira.mongodb.org/browse/CDRIVER-4747 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GUVOAFZFSYTNBF6R7H4XJM5DHWBRQ6P • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0436 – Secret logging may occur in debug mode of Atlas Operator
https://notcve.org/view.php?id=CVE-2023-0436
The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0. Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version. Required Configuration: DEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 ) Las versiones afectadas de MongoDB Atlas Kubernetes Operator pueden imprimir información confidencial, como claves de cuenta de servicio de GCP y secretos de integración de API, mientras el registro en modo DEBUG está habilitado. Este problema afecta a las versiones de MongoDB Atlas Kubernetes Operador: 1.5.0, 1.6.0, 1.6.1, 1.7.0. • https://github.com/mongodb/mongodb-atlas-kubernetes/releases/tag/v1.7.1 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2021-32050 – Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application
https://notcve.org/view.php?id=CVE-2021-32050
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0). • https://jira.mongodb.org/browse/CDRIVER-3797 https://jira.mongodb.org/browse/CXX-2028 https://jira.mongodb.org/browse/NODE-3356 https://jira.mongodb.org/browse/PHPC-1869 https://jira.mongodb.org/browse/SWIFT-1229 https://security.netapp.com/advisory/ntap-20231006-0001 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •