Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2587

sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 100.2.0
    • Affects Version/s: None
    • Component/s: All Tools
    • None
    • Needed
    • In all Mongo-tools doc, note that sslAllowInvalidHostnames and sslAllowInvalidCertificates are deprecated, and describe the problematic behavior in the ticket.
    • v4.2, v4.0, v3.6, v3.4, v3.2

      CVE-2020-7924

      Title
      Specific command line parameter might result in accepting invalid certificate

      CVE ID
      CVE-2020-7924

      Description
      Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.

      CVSS score
      This issue's CVSS:3.1 severity is scored at 4.2 using the following scoring metrics:
      https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

      Affected products
      MongoDB Inc. MongoDB Database Tools, Mongomirror

      Affected versions:
      MongoDB Database Tools 3.6 - versions after 3.6.5 and before 3.6.21
      MongoDB Database Tools 4.0 - versions before 4.0.21
      MongoDB Database Tools 4.2 - versions before 4.2.11
      MongoDB Database Tools 100 - versions before 100.2.0

      Mongomirror 0 - versions after 0.6.0

      CWE
      CWE-295: Improper Certificate Validation

            Assignee:
            huan.li@mongodb.com Huan Li (Inactive)
            Reporter:
            huan.li@mongodb.com Huan Li (Inactive)
            Matthew Chiaravalloti, Ryan Chipman, Tim Fogarty
            Votes:
            1 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved: