CVE-2020-7924

Name of the Vulnerable Software and Affected Versions MongoDB Database Tools versions 3.6.6 through 3.6.20 MongoDB Database Tools versions prior to 3.6.21 MongoDB Database Tools versions prior to 4.0.21 MongoDB Database Tools versions prior to 4.2.11 MongoDB Database Tools 100 versions prior to 100.2.0 Mongomirror 0 versions later than 0.6.0

Description The issue is related to the usage of a specific command line parameter in MongoDB Tools, which was originally intended to skip hostname checks but may result in MongoDB skipping all certificate validation, potentially accepting invalid certificates. This could allow a remote attacker to access and compromise confidential data.

Recommendations For MongoDB Database Tools versions 3.6.6 through 3.6.20, update to version 3.6.21 or later. For MongoDB Database Tools versions prior to 3.6.21, update to version 3.6.21 or later. For MongoDB Database Tools versions prior to 4.0.21, update to version 4.0.21 or later. For MongoDB Database Tools versions prior to 4.2.11, update to version 4.2.11 or later. For MongoDB Database Tools 100 versions prior to 100.2.0, update to version 100.2.0 or later. For Mongomirror 0 versions later than 0.6.0, consider disabling the vulnerable command line parameter until a patch is available.