Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2587

sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 100.2.0
    • Component/s: All Tools
    • Labels:
      None
    • Documentation Changes:
      Needed
    • Documentation Changes Summary:
      In all Mongo-tools doc, note that sslAllowInvalidHostnames and sslAllowInvalidCertificates are deprecated, and describe the problematic behavior in the ticket.
    • Backport Requested:
      v4.2, v4.0, v3.6, v3.4, v3.2
    • Case:

      Description

      CVE-2020-7924

      Title
      Specific command line parameter might result in accepting invalid certificate

      CVE ID
      CVE-2020-7924

      Description
      Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.

      CVSS score
      This issue's CVSS:3.1 severity is scored at 4.2 using the following scoring metrics:
      https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

      Affected products
      MongoDB Inc. MongoDB Database Tools, Mongomirror

      Affected versions:
      MongoDB Database Tools 3.6 - versions after 3.6.5 and before 3.6.21
      MongoDB Database Tools 4.0 - versions before 4.0.21
      MongoDB Database Tools 4.2 - versions before 4.2.11
      MongoDB Database Tools 100 - versions before 100.2.0

      Mongomirror 0 - versions after 0.6.0

      CWE
      CWE-295: Improper Certificate Validation

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              huan.li Huan Li
              Reporter:
              huan.li Huan Li
              Reviewers:
              Matthew Chiaravalloti, Ryan Chipman, Tim Fogarty
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: