CVE-2023-4009

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-4009
In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.

7.2 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://security.netapp.com/advisory/ntap-20230831-0013/
https://security.netapp.com/advisory/ntap-20230831-0013/
https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0 Vendor Advisory
https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0 Vendor Advisory
https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22 Vendor Advisory
https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mongodb:ops_manager_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mongodb:ops_manager_server:*:*:*:*:*:*:*:*
History

13 Feb 2025, 17:17

Type Values Removed Values Added
Summary In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation. In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.
References
  • () https://security.netapp.com/advisory/ntap-20230831-0013/ -
References (MISC) https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22 - Vendor Advisory () https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22 - Vendor Advisory
References (MISC) https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0 - Vendor Advisory () https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0 - Vendor Advisory

14 Aug 2023, 16:32

Type Values Removed Values Added
First Time Mongodb
Mongodb ops Manager Server
CPE cpe:2.3:a:mongodb:ops_manager_server:*:*:*:*:*:*:*:*
CWE CWE-269
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.2
References (MISC) https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22 - (MISC) https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22 - Vendor Advisory
References (MISC) https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0 - (MISC) https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0 - Vendor Advisory

08 Aug 2023, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-08-08 09:15

Updated : 2025-02-13 17:17

NVD link : CVE-2023-4009

Mitre link : CVE-2023-4009

JSON object : View

Products Affected

mongodb

  • ops_manager_server
CWE
CWE-269

Improper Privilege Management