CVE-2024-1351: MongoDB Server may allow successful untrusted connection
First published: Thu Mar 07 2024(Updated: )
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28. Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.
Credit: cna@mongodb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MongoDB | <=7.0.5 | |
| MongoDB | <=6.0.13 | |
| MongoDB | <=5.0.24 | |
| MongoDB | <=4.4.28 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://jira.mongodb.org/browse/SERVER-72839
- https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024
- https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024
- https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024
- https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024
- https://security.netapp.com/advisory/ntap-20240524-0010/
Frequently Asked Questions
What is the severity of CVE-2024-1351?
CVE-2024-1351 has a high severity due to the risk of untrusted connections succeeding, compromising TLS security guarantees.
How do I fix CVE-2024-1351?
To fix CVE-2024-1351, ensure that the TLS certificate validation is properly configured and avoid using untrusted CA files.
Which versions of MongoDB Server are affected by CVE-2024-1351?
CVE-2024-1351 affects MongoDB Server versions up to 7.0.5, 6.0.13, 5.0.24, and 4.4.28.
What configuration issues lead to CVE-2024-1351?
CVE-2024-1351 occurs when the configurations of --tlsCAFile and tls.CAFile are set improperly, skipping peer certificate validation.
What are the potential consequences of CVE-2024-1351?
The potential consequences of CVE-2024-1351 include the establishment of untrusted connections, which can lead to data breaches and unauthorized access.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- agent/event
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/source
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/description
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup-request
- agent/software-canonical-lookup
- vendor/mongodb
- canonical/mongodb