U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-1351

Change History

New CVE Received by NIST 3/07/2024 12:15:12 PM

Action Type Old Value New Value
Added CVSS V3.1

								
							
							
						
MongoDB, Inc. AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added CWE

								
							
							
						
MongoDB, Inc. CWE-295
Added Description

								
							
							
						
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections  that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.

Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.

Added Reference

								
							
							
						
MongoDB, Inc. https://jira.mongodb.org/browse/SERVER-72839 [No types assigned]
Added Reference

								
							
							
						
MongoDB, Inc. https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024 [No types assigned]
Added Reference

								
							
							
						
MongoDB, Inc. https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024 [No types assigned]
Added Reference

								
							
							
						
MongoDB, Inc. https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024 [No types assigned]
Added Reference

								
							
							
						
MongoDB, Inc. https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024 [No types assigned]