CVE-2023-4009

HIGH

MongoDB Ops Manager <5.0.22, <6.0.17 - Privilege Escalation

Title source: llm

Description

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.

References (3)

[Vendor Advisory] https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-6-0

[Vendor Advisory] https://www.mongodb.com/docs/ops-manager/v5.0/release-notes/application/#onprem-server-5-0-22

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20230831-0013/

Scores

CVSS v3 7.2

EPSS 0.0015

EPSS Percentile 34.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-269 CWE-648

Status published

Products (1)

mongodb/ops_manager_server 5.0.0 - 5.0.22

Published Aug 08, 2023

Tracked Since Feb 18, 2026