Certificate validation issue in MongoDB Server running on Windows or macOS

Vulnerability

MongoDB Server versions 6.3, 5.0.0 to 5.0.14, and all 4.4 versions running on Windows or macOS are affected by a client certificate validation bypass (CWE-295) [1][2]. When configured with TLS options that work correctly on Linux, the server may fail to validate client certificates, allowing any certificate to be accepted.

Exploitation

An attacker with network access to the MongoDB server can exploit this by initiating a TLS connection using any client certificate. The attack complexity is high (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) and requires user interaction, likely the client initiating the connection. No authentication is needed.

Impact

Successful exploitation allows an unauthenticated attacker to establish a TLS connection with the server using a forged or arbitrary certificate, bypassing client identity verification. This could lead to unauthorized access to MongoDB data, resulting in information disclosure (high confidentiality impact).

Mitigation

No specific mitigation is provided in the available references [1][2]. Users should consult the MongoDB security advisory for patched versions or apply workarounds such as using TLS configurations that enforce certificate validation on all platforms.