1732358 – (CVE-2015-7882) CVE-2015-7882 mongodb: improper handling of LDAP authentication leading to unauthorized access

Bug 1732358 (CVE-2015-7882) - CVE-2015-7882 mongodb: improper handling of LDAP authentication leading to unauthorized access

Summary: CVE-2015-7882 mongodb: improper handling of LDAP authentication leading to un...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2015-7882
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1732359
Blocks:	1732360
TreeView+	depends on / blocked

Reported:	2019-07-23 08:46 UTC by Marian Rehak
Modified:	2021-02-16 21:37 UTC (History)
CC List:	31 users (show)
Fixed In Version:	enterprise mongodb 3.0.7, enterprise mongodb 3.1.9
Doc Type:	If docs needed, set a value
Doc Text:	An authentication issue was found in MongoDB. The improper handling of LDAP authentication in MongoDB Enterprise versions 3.0.0 through 3.0.6 can allow an unauthenticated client to gain unauthorized access. The MongoDB Community Edition is not affected by this vulnerability.
Clone Of:
Environment:
Last Closed:	2019-08-01 13:18:20 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2019-07-23 08:46:29 UTC

Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access. !Only deployments using LDAP authentication are affected by this vulnerability!

External References:

https://jira.mongodb.org/browse/SERVER-20691

Comment 1 Marian Rehak 2019-07-23 08:46:43 UTC

Created mongodb tracking bugs for this issue:

Affects: fedora-29 [bug 1732359]

Comment 3 Summer Long 2019-07-24 01:18:20 UTC

Per upstream notice (https://jira.mongodb.org/browse/SERVER-20691): 
"The Community edition of MongoDB is not affected by this vulnerability."

Comment 9 Riccardo Schirone 2019-08-01 08:10:47 UTC

Statement:

All versions of the following products which include mongodb include only MongoDB's Community edition, and are therefore not affected by this vulnerability:
* Red Hat OpenStack Platform
* Red Hat Software Collections
* Red Hat Update Infrastructure

Comment 10 Product Security DevOps Team 2019-08-01 13:18:20 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-7882

Note You need to log in before you can comment on or make changes to this bug.

admiller
athomas
bbuckingham
bcourt
bkearney
btotty
clalancette
databases-maint
dbecker
hhorak
hhudgeon
jjoyce
jorton
jpacner
jschluet
kbasil
lhh
lpeer
lzap
mburns
mhulan
mmccune
mskalick
panovotn
rchan
rjerrido
sclewis
slinaber
strobert
tdawson
tomm.momi