CVE-2023-4009
7.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| MongoDB Inc. | MongoDB Ops Manager | 6.0 < 6.0.17 | affected |
| MongoDB Inc. | MongoDB Ops Manager | 5.0 < 5.0.22 | affected |
Weaknesses
- CWE-648: CWE-648: Incorrect Use of Privileged APIs
ADP Enrichment
CVE Program Container
Additional References
- https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0
- https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22
- https://security.netapp.com/advisory/ntap-20230831-0013/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0
- https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22
- https://security.netapp.com/advisory/ntap-20230831-0013/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.