PT-2020-19852 · Mongodb · Mongodb Ops Manager
Published
2020-11-23
·
Updated
2024-09-17
·
CVE-2020-7927
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
MongoDB Ops Manager versions prior to and including 4.2.17
MongoDB Ops Manager versions prior to and including 4.3.9
MongoDB Ops Manager versions prior to and including 4.4.2
Description
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege.
Recommendations
For MongoDB Ops Manager versions prior to and including 4.2.17, update to a version later than 4.2.17.
For MongoDB Ops Manager versions prior to and including 4.3.9, update to a version later than 4.3.9.
For MongoDB Ops Manager versions prior to and including 4.4.2, update to a version later than 4.4.2.
As a temporary workaround, consider restricting access to API endpoints that allow obtaining API keys with Global Role privilege until a patch is available.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mongodb Ops Manager