Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2587

sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 100.2.0
    • All Tools
    • None
    • Needed
    • In all Mongo-tools doc, note that sslAllowInvalidHostnames and sslAllowInvalidCertificates are deprecated, and describe the problematic behavior in the ticket.
    • v4.2, v4.0, v3.6, v3.4, v3.2

    Description

      CVE-2020-7924

      Title
      Specific command line parameter might result in accepting invalid certificate

      CVE ID
      CVE-2020-7924

      Description
      Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.

      CVSS score
      This issue's CVSS:3.1 severity is scored at 4.2 using the following scoring metrics:
      https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

      Affected products
      MongoDB Inc. MongoDB Database Tools, Mongomirror

      Affected versions:
      MongoDB Database Tools 3.6 - versions after 3.6.5 and before 3.6.21
      MongoDB Database Tools 4.0 - versions before 4.0.21
      MongoDB Database Tools 4.2 - versions before 4.2.11
      MongoDB Database Tools 100 - versions before 100.2.0

      Mongomirror 0 - versions after 0.6.0

      CWE
      CWE-295: Improper Certificate Validation

      Attachments

        Issue Links

          backported by

          Backport - To identify issues that need to be backported to previous releases. TOOLS-2588 [v4.2] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely

          • Major - P3 - Major loss of function.
          • Closed

          Backport - To identify issues that need to be backported to previous releases. TOOLS-2589 [v4.0] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely

          • Major - P3 - Major loss of function.
          • Closed

          Backport - To identify issues that need to be backported to previous releases. TOOLS-2590 [v3.6] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely

          • Major - P3 - Major loss of function.
          • Closed

          Backport - To identify issues that need to be backported to previous releases. TOOLS-2591 [v3.4] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely

          • Major - P3 - Major loss of function.
          • Closed

          Backport - To identify issues that need to be backported to previous releases. TOOLS-2592 VERIFY - [v3.2] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely

          • Major - P3 - Major loss of function.
          • Closed
          depends on

          New Feature - A new feature of the product, which has yet to be developed. GODRIVER-1617 add option to JUST skip hostname verification for ssl/tls

          • Major - P3 - Major loss of function.
          • Closed
          is caused by

          Task - A task that needs to be done. TOOLS-1948 Use Go-native TLS dialer on platforms with openssl 0.9.x

          • Critical - P2 - Crashes, loss of data, severe memory leak.
          • Closed
          is documented by

          Task - A task that needs to be done. DOCS-13817 [TOOLS] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely

          • Major - P3 - Major loss of function.
          • Closed
          links to

          GitHub Pull Request (10gen/mongomirror master)

          GitHub Pull Request (mongodb/mongo-tools master)

          GitHub Pull Request (mongodb/mongo-tools master)

          GitHub Pull Request (mongodb/mongo-tools-common master)

          GitHub Pull Request (mongodb/mongo-tools-common master)

          Activity

            People

              huan.li@mongodb.com Huan Li
              huan.li@mongodb.com Huan Li
              Matthew Chiaravalloti, Ryan Chipman, Tim Fogarty
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: