Bug 1171353 - (CVE-2020-7921) VUL-0: CVE-2020-7921: mongodb: Improper serialization of internal state in the authorization subsystem may allow a user with valid credentials to bypass IP whitelisting protection
(CVE-2020-7921)
VUL-0: CVE-2020-7921: mongodb: Improper serialization of internal state in th...
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Minor
: ---
Assigned To: Cloud Bugs
Security Team bot
https://smash.suse.de/issue/259176/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-07 10:51 UTC by Alexandros Toptsoglou
Modified: 2020-05-07 10:52 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-05-07 10:51:46 UTC
CVE-2020-7921

Improper serialization of internal state in the authorization subsystem in
MongoDB Server's authorization subsystem permits a user with valid credentials
to bypass IP whitelisting protection mechanisms following administrative action.
This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0
versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to
3.6.18.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7921
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7921
https://jira.mongodb.org/browse/SERVER-45472
Comment 1 Alexandros Toptsoglou 2020-05-07 10:52:49 UTC
Seems that only versions from 2.5.3 and on are affected. Cloud7 ships an older version. Closing