Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2587

sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 100.2.0
    • All Tools
    • None
    • Needed
    • In all Mongo-tools doc, note that sslAllowInvalidHostnames and sslAllowInvalidCertificates are deprecated, and describe the problematic behavior in the ticket.
    • v4.2, v4.0, v3.6, v3.4, v3.2

    Description

      CVE-2020-7924

      Title
      Specific command line parameter might result in accepting invalid certificate

      CVE ID
      CVE-2020-7924

      Description
      Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.

      CVSS score
      This issue's CVSS:3.1 severity is scored at 4.2 using the following scoring metrics:
      https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

      Affected products
      MongoDB Inc. MongoDB Database Tools, Mongomirror

      Affected versions:
      MongoDB Database Tools 3.6 - versions after 3.6.5 and before 3.6.21
      MongoDB Database Tools 4.0 - versions before 4.0.21
      MongoDB Database Tools 4.2 - versions before 4.2.11
      MongoDB Database Tools 100 - versions before 100.2.0

      Mongomirror 0 - versions after 0.6.0

      CWE
      CWE-295: Improper Certificate Validation

      Attachments

        Issue Links

          Activity

            People

              huan.li@mongodb.com Huan Li
              huan.li@mongodb.com Huan Li
              Matthew Chiaravalloti, Ryan Chipman, Tim Fogarty
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: