-
Type: Bug
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: All Tools
-
None
-
Needed
-
In all Mongo-tools doc, note that sslAllowInvalidHostnames and sslAllowInvalidCertificates are deprecated, and describe the problematic behavior in the ticket.
-
v4.2, v4.0, v3.6, v3.4, v3.2
-
(copied to CRM)
Title
Specific command line parameter might result in accepting invalid certificate
CVE ID
CVE-2020-7924
Description
Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.
CVSS score
This issue's CVSS:3.1 severity is scored at 4.2 using the following scoring metrics:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected products
MongoDB Inc. MongoDB Database Tools, Mongomirror
Affected versions:
MongoDB Database Tools 3.6 - versions after 3.6.5 and before 3.6.21
MongoDB Database Tools 4.0 - versions before 4.0.21
MongoDB Database Tools 4.2 - versions before 4.2.11
MongoDB Database Tools 100 - versions before 100.2.0
Mongomirror 0 - versions after 0.6.0
CWE
CWE-295: Improper Certificate Validation
- backported by
-
TOOLS-2588 [v4.2] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely
- Closed
-
TOOLS-2589 [v4.0] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely
- Closed
-
TOOLS-2590 [v3.6] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely
- Closed
-
TOOLS-2591 [v3.4] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely
- Closed
-
TOOLS-2592 VERIFY - [v3.2] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely
- Closed
- depends on
-
GODRIVER-1617 add option to JUST skip hostname verification for ssl/tls
- Closed
- is caused by
-
TOOLS-1948 Use Go-native TLS dialer on platforms with openssl 0.9.x
- Closed
- links to