CVE-2023-0342 MongoDB Ops Manager may disclose sensitive information in Diagnostic Archive

2023-06-0900:00:00

CWE-497

mongodb

www.cve.org

cve-2023-0342

mongodb ops manager

diagnostic archive

sensitive information

pem key file

password

CVSS3

3.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

AI Score

5.6

Confidence

High

EPSS

0.014

Percentile

86.6%

JSON

MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "MongoDB Ops Manager ",
    "vendor": "MongoDB Inc.",
    "versions": [
      {
        "lessThan": "5.0.21",
        "status": "affected",
        "version": "v5.0",
        "versionType": "custom"
      },
      {
        "lessThan": "6.0.12 ",
        "status": "affected",
        "version": "v6.0",
        "versionType": "custom"
      }
    ]
  }
]