CVE-2024-1351

Name of the Vulnerable Software and Affected Versions MongoDB Server versions prior to and including 7.0.5 MongoDB Server versions prior to and including 6.0.13 MongoDB Server versions prior to and including 5.0.24 MongoDB Server versions prior to and including 4.4.28

Description The issue is related to errors in the TLS certificate authentication procedure, which may allow an attacker to establish unauthorized connections to the MongoDB server. Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation, resulting in untrusted connections succeeding. This reduces the security guarantees provided by TLS and opens connections that should have been closed due to failing certificate validation. A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.

Recommendations For MongoDB Server version 7.0.5 and earlier, update to a version later than 7.0.5 to fix the issue. For MongoDB Server version 6.0.13 and earlier, update to a version later than 6.0.13 to fix the issue. For MongoDB Server version 5.0.24 and earlier, update to a version later than 5.0.24 to fix the issue. For MongoDB Server version 4.4.28 and earlier, update to a version later than 4.4.28 to fix the issue. As a temporary workaround, consider configuring net.tls.CAFile to ensure peer certificate validation is performed. Restrict access to the server by configuring net.tls.mode to requireTLS and ensuring a valid net.tls.CAFile is provided. Avoid starting the server process without a net.tls.CAFile configured when TLS is enabled.