CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%
The version of MongoDB installed on the remote host is prior to 5.0.27, 6.0.16, 7.0.12, or 7.3.3. It is, therefore, affected by a vulnerability as referenced in the SERVER-93211 advisory.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(205616);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/20");
script_cve_id("CVE-2024-7553");
script_xref(name:"IAVB", value:"2024-B-0115");
script_name(english:"MongoDB 5.0.x < 5.0.27 / 6.0.x < 6.0.16 / 7.0.x < 7.0.12 / 7.3.x < 7.3.3 (SERVER-93211)");
script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The version of MongoDB installed on the remote host is prior to 5.0.27, 6.0.16, 7.0.12, or 7.3.3. It is, therefore,
affected by a vulnerability as referenced in the SERVER-93211 advisory.
- Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation
if the underlying operating systems is Windows. This may result in the application executing arbitrary
behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions
prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to
7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB
PHP Driver versions prior to 1.18.1. Required Configuration: Only environments with Windows as the
underlying operating system is affected by this issue (CVE-2024-7553)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://jira.mongodb.org/browse/SERVER-93211");
script_set_attribute(attribute:"solution", value:
"Upgrade to MongoDB version 5.0.27 / 6.0.16 / 7.0.12 / 7.3.3 or later.");
script_set_attribute(attribute:"agent", value:"windows");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-7553");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/08/07");
script_set_attribute(attribute:"patch_publication_date", value:"2024/08/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/08/15");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mongodb:mongodb");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("mongodb_win_installed.nbin", "mongodb_detect.nasl");
script_require_ports("installed_sw/MongoDB", "Services/mongodb");
exit(0);
}
include('vcf.inc');
var app_info = vcf::get_app_info(app:'MongoDB');
var constraints = [
{ 'min_version' : '5.0', 'fixed_version' : '5.0.27' },
{ 'min_version' : '6.0', 'fixed_version' : '6.0.16' },
{ 'min_version' : '7.0', 'fixed_version' : '7.0.12' },
{ 'min_version' : '7.3', 'fixed_version' : '7.3.3' }
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING
);
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%