gsd - gsd-2023-4009

gsd-2023-4009

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.

Aliases

CVE-2023-4009

Aliases

CVE-2023-4009

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-4009",
    "id": "GSD-2023-4009"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-4009"
      ],
      "details": "In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.\n",
      "id": "GSD-2023-4009",
      "modified": "2023-12-13T01:20:27.407257Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@mongodb.com",
        "ID": "CVE-2023-4009",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "MongoDB Ops Manager",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "6.0",
                          "version_value": "6.0.17"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "5.0",
                          "version_value": "5.0.22"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "MongoDB Inc."
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-648",
                "lang": "eng",
                "value": "CWE-648: Incorrect Use of Privileged APIs"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0",
            "refsource": "MISC",
            "url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0"
          },
          {
            "name": "https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22",
            "refsource": "MISC",
            "url": "https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20230831-0013/",
            "refsource": "MISC",
            "url": "https://security.netapp.com/advisory/ntap-20230831-0013/"
          }
        ]
      },
      "source": {
        "discovery": "INTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:mongodb:ops_manager_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.0.17",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mongodb:ops_manager_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.0.22",
                "versionStartIncluding": "5.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@mongodb.com",
          "ID": "CVE-2023-4009"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-269"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22"
            },
            {
              "name": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20230831-0013/",
              "refsource": "MISC",
              "tags": [],
              "url": "https://security.netapp.com/advisory/ntap-20230831-0013/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-08-31T19:15Z",
      "publishedDate": "2023-08-08T09:15Z"
    }
  }
}

CVE-2023-4009 (GCVE-0-2023-4009)

Vulnerability from cvelistv5

Published

2023-08-08 08:37

Modified

2025-02-13 17:03

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-648 - Incorrect Use of Privileged APIs

Summary

References

►

URL

Tags

	https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0
	https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22
	https://security.netapp.com/advisory/ntap-20230831-0013/

Impacted products

	Vendor	Product	Version
	MongoDB Inc.	MongoDB Ops Manager	Version: 6.0 < 6.0.17 Version: 5.0 < 5.0.22

Show details on NVD website