CVE-2020-7922 vulnerability in MongoDB Products
Published on April 9, 2020
Kubernetes Operator generates potentially insecure certificates
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected. This issue affects MongoDB Enterprise Kubernetes Operator version 1.0, MongoDB Enterprise Kubernetes Operator version 1.1, MongoDB Enterprise Kubernetes Operator version 1.2 versions prior to 1.2.4, MongoDB Enterprise Kubernetes Operator version 1.3 versions prior to 1.3.1, 1.2, 1.4 versions prior to 1.4.4.
Vulnerability Analysis
Weakness Type
Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Products Associated with CVE-2020-7922
stack.watch emails you whenever new vulnerabilities are published in Mongodb Enterprise Kubernetes Operator or MongoDB. Just hit a watch button to start following.
Affected Versions
MongoDB Inc. MongoDB Enterprise Kubernetes Operator:- Version 1.0 is affected.
- Version 1.1 is affected.
- Version 1.2, <= 1.2.4 is affected.
- Version 1.3, <= 1.3.1 is affected.
- Version 1.4, <= 1.4.4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.