Miggo Logo

CVE-2020-7924: MongoDB Tools Improper Certificate Validation vulnerability

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.41835%
Published
5/24/2022
Updated
7/3/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/mongodb/mongo-toolsgo>= 100.0.0, < 100.2.0100.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the conditional check in configureClient() that combines SSLAllowInvalidCert/SSLAllowInvalidHost with TLSInsecure. The commit diff shows this function was modified to add TLSInsecure to the condition, but more critically, the original logic (opts.SSLAllowInvalidCert || opts.SSLAllowInvalidHost) caused InsecureSkipVerify to disable all validation when either deprecated flag was used. This matches the CWE-295 description of improper certificate validation, as using --sslAllowInvalidHostnames (intended for hostname checks only) inadvertently disabled full certificate validation through this function's logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Us*** o* sp**i*i* *omm*n* lin* p*r*m*t*r in Mon*o** Tools w*i** w*s ori*in*lly int*n*** to just skip *ostn*m* ****ks, m*y r*sult in Mon*o** skippin* *ll **rti*i**t* v*li**tion. T*is m*y r*sult in ****ptin* inv*li* **rti*i**t*s.T*is issu* *****ts: Mon

Reasoning

T** vuln*r**ility st*ms *rom t** *on*ition*l ****k in `*on*i*ur**li*nt()` t**t *om*in*s `SSL*llowInv*li***rt`/`SSL*llowInv*li**ost` wit* `TLSIns**ur*`. T** *ommit *i** s*ows t*is *un*tion w*s mo*i*i** to *** `TLSIns**ur*` to t** *on*ition, *ut mor* *