First published: Tue Aug 08 2023(Updated: )
In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.
Credit: cna@mongodb.com cna@mongodb.com
Affected Software | Affected Version | How to fix |
---|---|---|
Mongodb Ops Manager Server | >=5.0.0<5.0.22 | |
Mongodb Ops Manager Server | >=6.0.0<6.0.17 | |
>=5.0.0<5.0.22 | ||
>=6.0.0<6.0.17 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this MongoDB Ops Manager vulnerability is CVE-2023-4009.
The severity of CVE-2023-4009 is high with a severity value of 7.2.
The affected software versions of CVE-2023-4009 are MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17.
An authenticated user with project owner or project user admin access can exploit CVE-2023-4009 by generating an API key with the privileges of org owner, resulting in privilege escalation.
You can find more information about CVE-2023-4009 at the following references: [Reference 1](https://security.netapp.com/advisory/ntap-20230831-0013/), [Reference 2](https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0), [Reference 3](https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22).