#VU27864 Improper Authorization in MongoDB - CVE-2020-7921

Cybersecurity Help s.r.o.

Published: 2020-05-13

Vulnerability identifier: #VU27864

Vulnerability risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-7921

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MongoDB
Server applications / Database software

Vendor: MongoDB, Inc.

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect serialization of internal state in the authorization subsystem in MongoDB Server. A remote attacker with valid user credentials can bypass IP whitelisting protection mechanism and gain access to the MongoDB server.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MongoDB: 3.6.0 - 4.3.2

External links
https://jira.mongodb.org/browse/SERVER-45472

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 20.03 LTS update for mongodb-4.0.1-4

Authorization bypass in MongoDB Server