CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-6375 – Missing authorization check may lead to shard key refinement
https://notcve.org/view.php?id=CVE-2024-6375
01 Jul 2024 — A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3. A un comando para refinar una clave de fragmento de colección le falta una verificación de autorización. E... • https://jira.mongodb.org/browse/SERVER-79327 • CWE-285: Improper Authorization CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-1409 – Certificate validation issue in MongoDB Server running on Windows or macOS
https://notcve.org/view.php?id=CVE-2023-1409
23 Aug 2023 — If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate. This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions. • https://jira.mongodb.org/browse/SERVER-73662 • CWE-295: Improper Certificate Validation •