CVE-2020-7927 is a vulnerability in MongoDB Ops Manager
Published on November 23, 2020
Potential privilege escalation in Ops Manager API
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2.
Vulnerability Analysis
CVE-2020-7927 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Incorrect Use of Privileged APIs
The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
Products Associated with CVE-2020-7927
Want to know whenever a new CVE is published for MongoDB Ops Manager? stack.watch will email you.
Affected Versions
MongoDB Inc. MongoDB Ops Manager:- Version 4.2, <= 4.2.17 is affected.
- Version 4.3, <= 4.3.9 is affected.
- Version 4.4, <= 4.4.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.