CVE-2023-4009

Published: Aug 8, 2023Modified: Feb 13, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.

Affected (2)

Products: Mongodb: Ops Manager Server

Mongodb

1 product

Ops Manager Server

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mongodb Ops Manager Server	From 5.0.0 to 5.0.22
Mongodb Ops Manager Server	From 6.0.0 to 6.0.17

Related CWEs

CWE-269

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-648

Incorrect Use of Privileged APIs

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

References (6)

https://security.netapp.com/advisory/ntap-20230831-0013/

Source: cna@mongodb.com

https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0

Source: cna@mongodb.com

Vendor Advisory

https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22

Source: cna@mongodb.com

Vendor Advisory

https://security.netapp.com/advisory/ntap-20230831-0013/

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.