CVE-2020-7927 HIGH

CVE-2020-7927: Potential privilege escalation in Ops Manager API

Vendor Mongodb Inc.
Product MongoDB Ops Manager
Weakness CWE-648
Published November 23, 2020
Last update September 17, 2024

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2.

Key dates

02Disclosure timeline

November 23, 2020 CVE published
September 17, 2024 Record updated