CVE-2020-7922 MEDIUM

CVE-2020-7922: Kubernetes Operator generates potentially insecure certificates

Vendor Mongodb Inc.
Product MongoDB Enterprise Kubernetes Operator
Weakness CWE-295
Published April 9, 2020
Last update September 16, 2024

CVSS base score

6.4/10
Attack vector Adjacent
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected. This issue affects MongoDB Enterprise Kubernetes Operator version 1.0, MongoDB Enterprise Kubernetes Operator version 1.1, MongoDB Enterprise Kubernetes Operator version 1.2 versions prior to 1.2.4, MongoDB Enterprise Kubernetes Operator version 1.3 versions prior to 1.3.1, 1.2, 1.4 versions prior to 1.4.4.

Key dates

02Disclosure timeline

April 9, 2020 CVE published
September 16, 2024 Record updated