CVE-2020-7922 (GCVE-0-2020-7922)
Vulnerability from cvelistv5 – Published: 2020-04-09 17:35 – Updated: 2024-09-16 20:37
VLAI
Title
Kubernetes Operator generates potentially insecure certificates
Summary
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected. This issue affects MongoDB Enterprise Kubernetes Operator version 1.0, MongoDB Enterprise Kubernetes Operator version 1.1, MongoDB Enterprise Kubernetes Operator version 1.2 versions prior to 1.2.4, MongoDB Enterprise Kubernetes Operator version 1.3 versions prior to 1.3.1, 1.2, 1.4 versions prior to 1.4.4.
Severity
6.4 (Medium)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mongodb/mongodb-enterprise-kub… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MongoDB Inc. | MongoDB Enterprise Kubernetes Operator |
Affected:
1.0
Affected: 1.1 Affected: 1.2 , ≤ 1.2.4 (custom) Affected: 1.3 , ≤ 1.3.1 (custom) Affected: 1.4 , ≤ 1.4.4 (custom) |
Date Public
2020-04-08 23:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:23.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mongodb/mongodb-enterprise-kubernetes/releases/tag/1.2.5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Enterprise Kubernetes Operator",
"vendor": "MongoDB Inc.",
"versions": [
{
"status": "affected",
"version": "1.0"
},
{
"status": "affected",
"version": "1.1"
},
{
"lessThanOrEqual": "1.2.4",
"status": "affected",
"version": "1.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.3.1",
"status": "affected",
"version": "1.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.4.4",
"status": "affected",
"version": "1.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-04-08T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eX.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected. This issue affects MongoDB Enterprise Kubernetes Operator version 1.0, MongoDB Enterprise Kubernetes Operator version 1.1, MongoDB Enterprise Kubernetes Operator version 1.2 versions prior to 1.2.4, MongoDB Enterprise Kubernetes Operator version 1.3 versions prior to 1.3.1, 1.2, 1.4 versions prior to 1.4.4.\u003c/p\u003e"
}
],
"value": "X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected. This issue affects MongoDB Enterprise Kubernetes Operator version 1.0, MongoDB Enterprise Kubernetes Operator version 1.1, MongoDB Enterprise Kubernetes Operator version 1.2 versions prior to 1.2.4, MongoDB Enterprise Kubernetes Operator version 1.3 versions prior to 1.3.1, 1.2, 1.4 versions prior to 1.4.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T15:11:31.372Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mongodb/mongodb-enterprise-kubernetes/releases/tag/1.2.5"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Kubernetes Operator generates potentially insecure certificates",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-04-09T00:00:00.000Z",
"ID": "CVE-2020-7922",
"STATE": "PUBLIC",
"TITLE": "Kubernetes Operator generates potentially insecure certificates"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Enterprise Kubernetes Operator",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "1.0",
"version_value": "1.0"
},
{
"version_affected": "=",
"version_name": "1.1",
"version_value": "1.1"
},
{
"version_affected": "\u003c=",
"version_name": "1.2",
"version_value": "1.2.4"
},
{
"version_affected": "\u003c=",
"version_name": "1.3",
"version_value": "1.3.1"
},
{
"version_affected": "\u003c=",
"version_name": "1.4",
"version_value": "1.4.4"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected. This issue affects: MongoDB Inc. MongoDB Enterprise Kubernetes Operator version 1.0, 1.1, 1.2 versions prior to 1.2.4, 1.3 versions prior to 1.3.1, 1.2, 1.4 versions prior to 1.4.4."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mongodb/mongodb-enterprise-kubernetes/releases/tag/1.2.5",
"refsource": "CONFIRM",
"url": "https://github.com/mongodb/mongodb-enterprise-kubernetes/releases/tag/1.2.5"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2020-7922",
"datePublished": "2020-04-09T17:35:12.278Z",
"dateReserved": "2020-01-23T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:37:43.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-7922",
"date": "2026-05-26",
"epss": "0.002",
"percentile": "0.41788"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-7922\",\"sourceIdentifier\":\"cna@mongodb.com\",\"published\":\"2020-04-09T18:15:11.740\",\"lastModified\":\"2024-11-21T05:38:00.997\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected. This issue affects MongoDB Enterprise Kubernetes Operator version 1.0, MongoDB Enterprise Kubernetes Operator version 1.1, MongoDB Enterprise Kubernetes Operator version 1.2 versions prior to 1.2.4, MongoDB Enterprise Kubernetes Operator version 1.3 versions prior to 1.3.1, 1.2, 1.4 versions prior to 1.4.4.\"},{\"lang\":\"es\",\"value\":\"Los certificados X.509 generados por el MongoDB Enterprise Kubernetes Operator pueden permitir a un atacante con acceso al cl\u00faster de Kubernetes un acceso inapropiado a instancias de MongoDB. Los clientes que no utilizan la autenticaci\u00f3n X.509 y aquellos que no usan el Operator para generar sus certificados X.509 est\u00e1n sin afectaci\u00f3n. Este problema afecta: MongoDB Inc. MongoDB Enterprise Kubernetes Operator versi\u00f3n 1.0, 1.1, 1.2 versiones anteriores a la 1.2.4, 1.3 versiones anteriores a la 1.3.1, 1.2, 1.4 versiones anteriores a la 1.4.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@mongodb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@mongodb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mongodb:mongodb_enterprise_kubernetes_operator:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.2.0\",\"versionEndIncluding\":\"1.2.4\",\"matchCriteriaId\":\"612425D9-DC93-4E6D-829A-452944A1906D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mongodb:mongodb_enterprise_kubernetes_operator:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.3.0\",\"versionEndIncluding\":\"1.3.1\",\"matchCriteriaId\":\"456D57C3-20B8-40BC-8215-922A750F78B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mongodb:mongodb_enterprise_kubernetes_operator:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.4.0\",\"versionEndIncluding\":\"1.4.4\",\"matchCriteriaId\":\"D1AB77A6-11E1-4458-A73A-470D4A31A4DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mongodb:mongodb_enterprise_kubernetes_operator:1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B772D987-0048-43C2-87F0-6AF8B302A4AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mongodb:mongodb_enterprise_kubernetes_operator:1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"59C179EA-ECE0-4591-AFCB-B6A93C6F6F77\"}]}]}],\"references\":[{\"url\":\"https://github.com/mongodb/mongodb-enterprise-kubernetes/releases/tag/1.2.5\",\"source\":\"cna@mongodb.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/mongodb/mongodb-enterprise-kubernetes/releases/tag/1.2.5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…