Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for ops_manager by mongodb
CVE-2021-20335 (GCVE-0-2021-20335)
Vulnerability from cvelistv5 – Published: 2021-02-11 10:10 – Updated: 2024-09-17 01:50
VLAI
Title
SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager
Summary
For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.
Severity
6.7 (Medium)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://docs.opsmanager.mongodb.com/v4.2/release-… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MongoDB Inc. | MongoDB Ops Manager |
Affected:
4.2 , ≤ 4.2.24
(custom)
|
Date Public
2021-02-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:37:23.802Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Ops Manager",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThanOrEqual": "4.2.24",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-02-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eFor MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T16:21:36.855Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2021-02-11T10:00:00.000Z",
"ID": "CVE-2021-20335",
"STATE": "PUBLIC",
"TITLE": "SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Ops Manager",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.2",
"version_value": "4.2.24"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "For MongoDB Ops Manager \u003c= 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager \u003c= 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-319 Cleartext Transmission of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23",
"refsource": "CONFIRM",
"url": "https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2021-20335",
"datePublished": "2021-02-11T10:10:13.856Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:50:44.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7927 (GCVE-0-2020-7927)
Vulnerability from cvelistv5 – Published: 2020-11-23 19:00 – Updated: 2024-09-17 02:01
VLAI
Title
Potential privilege escalation in Ops Manager API
Summary
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2.
Severity
8.1 (High)
CWE
- CWE-648 - Incorrect Use of Privileged APIs
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.mongodb.com/docs/ops-manager/current/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MongoDB Inc. | MongoDB Ops Manager |
Affected:
4.2 , ≤ 4.2.17
(custom)
Affected: 4.3 , ≤ 4.3.9 (custom) Affected: 4.4 , ≤ 4.4.2 (custom) |
Date Public
2020-11-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:23.858Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.4.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Ops Manager",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThanOrEqual": "4.2.17",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.3.9",
"status": "affected",
"version": "4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSpecially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2.\u003c/p\u003e"
}
],
"value": "Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-648",
"description": "CWE-648: Incorrect Use of Privileged APIs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T15:44:32.209Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.4.3"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Potential privilege escalation in Ops Manager API",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-30T14:00:00.000Z",
"ID": "CVE-2020-7927",
"STATE": "PUBLIC",
"TITLE": "Potential privilege escalation in Ops Manager API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Ops Manager",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.2",
"version_value": "4.2.17"
},
{
"version_affected": "\u003c=",
"version_name": "4.3",
"version_value": "4.3.9"
},
{
"version_affected": "\u003c=",
"version_name": "4.4",
"version_value": "4.4.2"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-648: Incorrect Use of Privileged APIs"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3",
"refsource": "CONFIRM",
"url": "https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2020-7927",
"datePublished": "2020-11-23T19:00:18.244Z",
"dateReserved": "2020-01-23T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:01:37.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-2388 (GCVE-0-2019-2388)
Vulnerability from cvelistv5 – Published: 2020-05-13 16:15 – Updated: 2024-08-04 18:49
VLAI
Title
Potential exposure of log information in Ops Manager
Summary
In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.
Severity
5.8 (Medium)
CWE
- CWE-425 - Direct Request (Forced Browsing)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.mongodb.com/docs/ops-manager/current/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MongoDB Inc. | MongoDB Ops Manager |
Affected:
4.0.9
Affected: 4.0.10 Affected: 4.1.5 |
Date Public
2020-05-13 11:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:49:46.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.0.11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Ops Manager",
"vendor": "MongoDB Inc.",
"versions": [
{
"status": "affected",
"version": "4.0.9"
},
{
"status": "affected",
"version": "4.0.10"
},
{
"status": "affected",
"version": "4.1.5"
}
]
}
],
"datePublic": "2020-05-13T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.\u003c/p\u003e"
}
],
"value": "In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425 Direct Request (Forced Browsing)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T14:41:20.817Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.0.11"
}
],
"source": {
"defect": [
"SECURITY-646"
],
"discovery": "INTERNAL"
},
"title": "Potential exposure of log information in Ops Manager",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"ID": "CVE-2019-2388",
"STATE": "PUBLIC",
"TITLE": "Potential exposure of log information in Ops Manager"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Ops Manager",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0",
"version_value": "4.0.9"
},
{
"version_affected": "=",
"version_name": "4.0",
"version_value": "4.0.10"
},
{
"version_affected": "=",
"version_name": "4.1",
"version_value": "4.1.5"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-425 Direct Request (Forced Browsing)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-0",
"refsource": "MISC",
"url": "https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-0"
}
]
},
"source": {
"defect": [
"SECURITY-646"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2019-2388",
"datePublished": "2020-05-13T16:15:13.000Z",
"dateReserved": "2018-12-10T00:00:00.000Z",
"dateUpdated": "2024-08-04T18:49:46.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20335 (GCVE-0-2021-20335)
Vulnerability from nvd – Published: 2021-02-11 10:10 – Updated: 2024-09-17 01:50
VLAI
Title
SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager
Summary
For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.
Severity
6.7 (Medium)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://docs.opsmanager.mongodb.com/v4.2/release-… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MongoDB Inc. | MongoDB Ops Manager |
Affected:
4.2 , ≤ 4.2.24
(custom)
|
Date Public
2021-02-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:37:23.802Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Ops Manager",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThanOrEqual": "4.2.24",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-02-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eFor MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T16:21:36.855Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2021-02-11T10:00:00.000Z",
"ID": "CVE-2021-20335",
"STATE": "PUBLIC",
"TITLE": "SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Ops Manager",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.2",
"version_value": "4.2.24"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "For MongoDB Ops Manager \u003c= 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager \u003c= 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-319 Cleartext Transmission of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23",
"refsource": "CONFIRM",
"url": "https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2021-20335",
"datePublished": "2021-02-11T10:10:13.856Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:50:44.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7927 (GCVE-0-2020-7927)
Vulnerability from nvd – Published: 2020-11-23 19:00 – Updated: 2024-09-17 02:01
VLAI
Title
Potential privilege escalation in Ops Manager API
Summary
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2.
Severity
8.1 (High)
CWE
- CWE-648 - Incorrect Use of Privileged APIs
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.mongodb.com/docs/ops-manager/current/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MongoDB Inc. | MongoDB Ops Manager |
Affected:
4.2 , ≤ 4.2.17
(custom)
Affected: 4.3 , ≤ 4.3.9 (custom) Affected: 4.4 , ≤ 4.4.2 (custom) |
Date Public
2020-11-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:23.858Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.4.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Ops Manager",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThanOrEqual": "4.2.17",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.3.9",
"status": "affected",
"version": "4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSpecially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2.\u003c/p\u003e"
}
],
"value": "Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-648",
"description": "CWE-648: Incorrect Use of Privileged APIs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T15:44:32.209Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.4.3"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Potential privilege escalation in Ops Manager API",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-30T14:00:00.000Z",
"ID": "CVE-2020-7927",
"STATE": "PUBLIC",
"TITLE": "Potential privilege escalation in Ops Manager API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Ops Manager",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.2",
"version_value": "4.2.17"
},
{
"version_affected": "\u003c=",
"version_name": "4.3",
"version_value": "4.3.9"
},
{
"version_affected": "\u003c=",
"version_name": "4.4",
"version_value": "4.4.2"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-648: Incorrect Use of Privileged APIs"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3",
"refsource": "CONFIRM",
"url": "https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-4-3"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2020-7927",
"datePublished": "2020-11-23T19:00:18.244Z",
"dateReserved": "2020-01-23T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:01:37.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-2388 (GCVE-0-2019-2388)
Vulnerability from nvd – Published: 2020-05-13 16:15 – Updated: 2024-08-04 18:49
VLAI
Title
Potential exposure of log information in Ops Manager
Summary
In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.
Severity
5.8 (Medium)
CWE
- CWE-425 - Direct Request (Forced Browsing)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.mongodb.com/docs/ops-manager/current/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MongoDB Inc. | MongoDB Ops Manager |
Affected:
4.0.9
Affected: 4.0.10 Affected: 4.1.5 |
Date Public
2020-05-13 11:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:49:46.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.0.11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Ops Manager",
"vendor": "MongoDB Inc.",
"versions": [
{
"status": "affected",
"version": "4.0.9"
},
{
"status": "affected",
"version": "4.0.10"
},
{
"status": "affected",
"version": "4.1.5"
}
]
}
],
"datePublic": "2020-05-13T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.\u003c/p\u003e"
}
],
"value": "In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425 Direct Request (Forced Browsing)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T14:41:20.817Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.0.11"
}
],
"source": {
"defect": [
"SECURITY-646"
],
"discovery": "INTERNAL"
},
"title": "Potential exposure of log information in Ops Manager",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"ID": "CVE-2019-2388",
"STATE": "PUBLIC",
"TITLE": "Potential exposure of log information in Ops Manager"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Ops Manager",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0",
"version_value": "4.0.9"
},
{
"version_affected": "=",
"version_name": "4.0",
"version_value": "4.0.10"
},
{
"version_affected": "=",
"version_name": "4.1",
"version_value": "4.1.5"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-425 Direct Request (Forced Browsing)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-0",
"refsource": "MISC",
"url": "https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-0"
}
]
},
"source": {
"defect": [
"SECURITY-646"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2019-2388",
"datePublished": "2020-05-13T16:15:13.000Z",
"dateReserved": "2018-12-10T00:00:00.000Z",
"dateUpdated": "2024-08-04T18:49:46.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}