// For flags

CVE-2020-7927

Potential privilege escalation in Ops Manager API

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2.

Las llamadas a la API especialmente diseƱadas pueden permitir a un usuario autenticado que tiene el privilegio Organization Owner obtener una clave de API con privilegio Global Role. Este problema afecta a MongoDB Ops Manager v4.2 versiones 4.2.0-4.2.17, v4.3 versiones 4.3.0-4.3.9 y v4.4 versiones 4.4.0-4.4.2

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-01-23 CVE Reserved
  • 2020-11-23 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-648: Incorrect Use of Privileged APIs
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mongodb
Search vendor "Mongodb"
Ops Manager
Search vendor "Mongodb" for product "Ops Manager"
>= 4.2.0 <= 4.2.17
Search vendor "Mongodb" for product "Ops Manager" and version " >= 4.2.0 <= 4.2.17"
-
Affected
Mongodb
Search vendor "Mongodb"
Ops Manager
Search vendor "Mongodb" for product "Ops Manager"
>= 4.3.0 <= 4.3.9
Search vendor "Mongodb" for product "Ops Manager" and version " >= 4.3.0 <= 4.3.9"
-
Affected
Mongodb
Search vendor "Mongodb"
Ops Manager
Search vendor "Mongodb" for product "Ops Manager"
>= 4.4.0 <= 4.4.2
Search vendor "Mongodb" for product "Ops Manager" and version " >= 4.4.0 <= 4.4.2"
-
Affected