Bug 1732358 (CVE-2015-7882) - CVE-2015-7882 mongodb: improper handling of LDAP authentication leading to unauthorized access
Summary: CVE-2015-7882 mongodb: improper handling of LDAP authentication leading to un...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-7882
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1732359
Blocks: 1732360
TreeView+ depends on / blocked
 
Reported: 2019-07-23 08:46 UTC by Marian Rehak
Modified: 2019-09-29 15:18 UTC (History)
31 users (show)

Fixed In Version: enterprise mongodb 3.0.7, enterprise mongodb 3.1.9
Doc Type: If docs needed, set a value
Doc Text:
An authentication issue was found in MongoDB. The improper handling of LDAP authentication in MongoDB Enterprise versions 3.0.0 through 3.0.6 can allow an unauthenticated client to gain unauthorized access. The MongoDB Community Edition is not affected by this vulnerability.
Clone Of:
Environment:
Last Closed: 2019-08-01 13:18:20 UTC


Attachments (Terms of Use)

Description Marian Rehak 2019-07-23 08:46:29 UTC
Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access. !Only deployments using LDAP authentication are affected by this vulnerability!

External References:

https://jira.mongodb.org/browse/SERVER-20691

Comment 1 Marian Rehak 2019-07-23 08:46:43 UTC
Created mongodb tracking bugs for this issue:

Affects: fedora-29 [bug 1732359]

Comment 3 Summer Long 2019-07-24 01:18:20 UTC
Per upstream notice (https://jira.mongodb.org/browse/SERVER-20691): 
"The Community edition of MongoDB is not affected by this vulnerability."

Comment 9 Riccardo Schirone 2019-08-01 08:10:47 UTC
Statement:

All versions of the following products which include mongodb include only MongoDB's Community edition, and are therefore not affected by this vulnerability:
* Red Hat OpenStack Platform
* Red Hat Software Collections
* Red Hat Update Infrastructure

Comment 10 Product Security DevOps Team 2019-08-01 13:18:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-7882


Note You need to log in before you can comment on or make changes to this bug.