CVE-2023-4009

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://security.netapp.com/advisory/ntap-20230831-0013/
https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0	Vendor Advisory
https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22	Vendor Advisory
https://security.netapp.com/advisory/ntap-20230831-0013/
https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0	Vendor Advisory
https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mongodb:ops_manager_server::::::::
	cpe:2.3:a:mongodb:ops_manager_server::::::::

History

13 Feb 2025, 17:17

Type	Values Removed	Values Added
Summary	(en) In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.	(en) In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.

Information

Published : 2023-08-08 09:15

Updated : 2025-02-13 17:17

NVD link : CVE-2023-4009

Mitre link : CVE-2023-4009

CVE.ORG link : CVE-2023-4009

JSON object : View

Products Affected

mongodb

ops_manager_server

CWE

CWE-648

Incorrect Use of Privileged APIs

CWE-269

Improper Privilege Management

{"id": "CVE-2023-4009", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@mongodb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2023-08-08T09:15:11.023", "references": [{"url": "https://security.netapp.com/advisory/ntap-20230831-0013/", "source": "cna@mongodb.com"}, {"url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0", "tags": ["Vendor Advisory"], "source": "cna@mongodb.com"}, {"url": "https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22", "tags": ["Vendor Advisory"], "source": "cna@mongodb.com"}, {"url": "https://security.netapp.com/advisory/ntap-20230831-0013/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cna@mongodb.com", "description": [{"lang": "en", "value": "CWE-648"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation."}], "lastModified": "2025-02-13T17:17:14.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:ops_manager_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8FDA921-C53F-4FEF-B064-A6D28A0ED2C2", "versionEndExcluding": "5.0.22", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:mongodb:ops_manager_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "988C301C-361D-4355-9D16-B590DE17EAD5", "versionEndExcluding": "6.0.17", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cna@mongodb.com"}