CVE-2023-4009

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mongodb:ops_manager_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mongodb:ops_manager_server:*:*:*:*:*:*:*:*

History

14 Aug 2023, 16:32

Type Values Removed Values Added
CWE CWE-269
References (MISC) https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22 - (MISC) https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22 - Vendor Advisory
References (MISC) https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0 - (MISC) https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0 - Vendor Advisory
CPE cpe:2.3:a:mongodb:ops_manager_server:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.2

08 Aug 2023, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-08-08 09:15

Updated : 2024-02-05 00:01


NVD link : CVE-2023-4009

Mitre link : CVE-2023-4009

CVE.ORG link : CVE-2023-4009


JSON object : View

Products Affected

mongodb

  • ops_manager_server
CWE
CWE-269

Improper Privilege Management

CWE-648

Incorrect Use of Privileged APIs