[SERVER-77028] tlsClusterCAFile is not being used to validate client certificates on macOS Created: 11/May/23  Updated: 24/Jan/24  Resolved: 12/May/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.1.0-rc0, 6.0.7, 5.0.19, 4.4.23, 7.0.0-rc2

Type: Bug Priority: Major - P3
Reporter: Adrian Gonzalez Montemayor Assignee: Adrian Gonzalez Montemayor
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
related to SERVER-73662 tlsClusterCAFile is not being used to... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v7.0, v6.3, v6.0, v5.0, v4.4
Sprint: Security 2023-05-15
Participants:

 Description   
CVE-2023-1409

Title:

Certificate validation issue in MongoDB Server running on Windows or macOS

CVE:

CVE-2023-1409

Description:

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.

This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14, all MongoDB Server v4.4 versions.

CVSS Score:{}

 This issue's CVSS:3.1 severity is scored at 5.3 using the following scoring metrics:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

All Affected Product Versions:

MongoDB Server 6.3 

MongoDB Server v5.0 versions v5.0.0 to v5.0.14

All MongoDB Server v4.4 versions

CWE:
CWE-295: Improper Certificate Validation

How was the Issue Found? (Internally/Externally):

Internally

Public Reference:

SERVER-73662 SERVER-77028



 Comments   
Comment by Githook User [ 16/May/23 ]

Author:

{'name': 'Adrian Gonzalez', 'email': 'adriangonzalezmontemayor@gmail.com', 'username': 'adriangzz'}

Message: SERVER-77028 tlsClusterCAFile is not being used to validate client certificates on macOS
Branch: v7.0
https://github.com/mongodb/mongo/commit/218d9bd5b17fbd4874447fbe65189d8275eeb357

Comment by Githook User [ 15/May/23 ]

Author:

{'name': 'Adrian Gonzalez', 'email': 'adriangonzalezmontemayor@gmail.com', 'username': 'adriangzz'}

Message: SERVER-77028 tlsClusterCAFile is not being used to validate client certificates on macOS
Branch: v6.0
https://github.com/mongodb/mongo/commit/48a0d3bd354b840e943ac416fabfe6a440a77571

Comment by Githook User [ 15/May/23 ]

Author:

{'name': 'Adrian Gonzalez', 'email': 'adriangonzalezmontemayor@gmail.com', 'username': 'adriangzz'}

Message: SERVER-77028 tlsClusterCAFile is not being used to validate client certificates on macOS
Branch: v4.4
https://github.com/mongodb/mongo/commit/d0eb7e3e5a2ee1c97bb8b3782b7538aa20457d63

Comment by Githook User [ 15/May/23 ]

Author:

{'name': 'Adrian Gonzalez', 'email': 'adriangonzalezmontemayor@gmail.com', 'username': 'adriangzz'}

Message: SERVER-77028 tlsClusterCAFile is not being used to validate client certificates on macOS
Branch: v5.0
https://github.com/mongodb/mongo/commit/b11e9309abfe245d6ce6349b6b0c863fa432c78b

Comment by Githook User [ 12/May/23 ]

Author:

{'name': 'Adrian Gonzalez', 'email': 'adriangonzalezmontemayor@gmail.com', 'username': 'adriangzz'}

Message: SERVER-77028 tlsClusterCAFile is not being used to validate client certificates on macOS
Branch: master
https://github.com/mongodb/mongo/commit/ba2d20d1dc6493dd7930b13e7275dbb095952b3b

Generated at Thu Feb 08 06:34:19 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.