Erwin Pe

**Name of the Vulnerable Software and Affected Versions** MongoDB Server versions prior to and including 7.0.5 MongoDB Server versions prior to and including 6.0.13 MongoDB Server versions prior to and including 5.0.24 MongoDB Server versions prior to and including 4.4.28 **Description** The issue is related to errors in the TLS certificate authentication procedure, which may allow an attacker to establish unauthorized connections to the MongoDB server. Under certain configurations of `--tlsCAFile` and `tls.CAFile`, MongoDB Server may skip peer certificate validation, resulting in untrusted connections succeeding. This reduces the security guarantees provided by TLS and opens connections that should have been closed due to failing certificate validation. A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (`net.tls.mode` set to `allowTLS`, `preferTLS`, or `requireTLS`) and without a `net.tls.CAFile` configured. **Recommendations** For MongoDB Server version 7.0.5 and earlier, update to a version later than 7.0.5 to fix the issue. For MongoDB Server version 6.0.13 and earlier, update to a version later than 6.0.13 to fix the issue. For MongoDB Server version 5.0.24 and earlier, update to a version later than 5.0.24 to fix the issue. For MongoDB Server version 4.4.28 and earlier, update to a version later than 4.4.28 to fix the issue. As a temporary workaround, consider configuring `net.tls.CAFile` to ensure peer certificate validation is performed. Restrict access to the server by configuring `net.tls.mode` to `requireTLS` and ensuring a valid `net.tls.CAFile` is provided. Avoid starting the server process without a `net.tls.CAFile` configured when TLS is enabled.