CVE-2024-1351 — HIGH (8.8) — White Hats Nepal

Q: How severe is CVE-2024-1351?

CVE-2024-1351 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-1351?

Check the references section above for vendor advisories and patch information. Affected products include: Mongodb Mongodb, Netapp Astra Control Center, Netapp Ontap Tools.

Vulnerability Description

Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28. Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Mongodb	Mongodb	>= 4.4.0, < 4.4.29
Netapp	Astra Control Center	-
Netapp	Ontap Tools	10

Related Weaknesses (CWE)

CWE-295

References

https://jira.mongodb.org/browse/SERVER-72839Issue TrackingPatchVendor Advisory
https://security.netapp.com/advisory/ntap-20240524-0010/Third Party Advisory
https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--202Broken Link
https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024Release Notes
https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024Release Notes
https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024Release Notes
https://jira.mongodb.org/browse/SERVER-72839Issue TrackingPatchVendor Advisory
https://security.netapp.com/advisory/ntap-20240524-0010/Third Party Advisory
https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--202Broken Link
https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024Release Notes
https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024Release Notes
https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024Release Notes

FAQ

What is CVE-2024-1351?

CVE-2024-1351 is a vulnerability with a CVSS score of 8.8 (HIGH). Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the se...

How severe is CVE-2024-1351?

CVE-2024-1351 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-1351?

Check the references section above for vendor advisories and patch information. Affected products include: Mongodb Mongodb, Netapp Astra Control Center, Netapp Ontap Tools.