Vulnerability Details : CVE-2023-4009
In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.
Vulnerability category: Gain privilege
Products affected by CVE-2023-4009
- cpe:2.3:a:mongodb:ops_manager_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:ops_manager_server:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-4009
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-4009
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
MongoDB, Inc. | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2023-4009
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: nvd@nist.gov (Primary)
-
The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.Assigned by: cna@mongodb.com (Secondary)
References for CVE-2023-4009
-
https://security.netapp.com/advisory/ntap-20230831-0013/
CVE-2023-4009 MongoDB Vulnerability in NetApp Products | NetApp Product Security
-
https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0
Ops Manager Server Changelog — MongoDB Ops Manager 6.0Vendor Advisory
-
https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22
Ops Manager Server Changelog — MongoDB Ops Manager 5.0Vendor Advisory
Jump to