{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "* SECURITY UPDATE: TLS peer certificate validation bypass\n - debian/patches/CVE-2024-1351.patch: add SSL_CTX_set_verify() call in\n _setupSystemCA(), remove hasCA bypass in parseAndValidatePeerCertificate(),\n add tlsUseSystemCA server parameter, require either tlsCAFile or\n tlsUseSystemCA when TLS is enabled to prevent accepting peer connections\n without validating certificates.\n - CVE-2024-1351", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1774566928", "url": "https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1774566928" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_docker/debian13/advisories/2026/clsa-2026_1774566928.json" } ], "tracking": { "current_release_date": "2026-03-26T23:16:05Z", "generator": { "date": "2026-03-26T23:16:05Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1774566928", "initial_release_date": "2026-03-26T23:16:05Z", "revision_history": [ { "date": "2026-03-26T23:16:05Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "Fix CVE(s): CVE-2024-1351" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian 13", "product": { "name": "Debian 13", "product_id": "Debian-13", "product_identification_helper": { "cpe": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Debian" } ], "category": "vendor", "name": "Software in the Public Interest, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "mongodb42-server-0:4.2.25-1+tuxcare.els3.amd64", "product": { "name": "mongodb42-server-0:4.2.25-1+tuxcare.els3.amd64", "product_id": "mongodb42-server-0:4.2.25-1+tuxcare.els3.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/mongodb42-server@4.2.25-1%2Btuxcare.els3?arch=amd64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "mongodb42-shell-0:4.2.25-1+tuxcare.els3.amd64", "product": { "name": "mongodb42-shell-0:4.2.25-1+tuxcare.els3.amd64", "product_id": "mongodb42-shell-0:4.2.25-1+tuxcare.els3.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/mongodb42-shell@4.2.25-1%2Btuxcare.els3?arch=amd64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "mongodb42-mongos-0:4.2.25-1+tuxcare.els3.amd64", "product": { "name": "mongodb42-mongos-0:4.2.25-1+tuxcare.els3.amd64", "product_id": "mongodb42-mongos-0:4.2.25-1+tuxcare.els3.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/mongodb42-mongos@4.2.25-1%2Btuxcare.els3?arch=amd64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "mongodb42-0:4.2.25-1+tuxcare.els3.amd64", "product": { "name": "mongodb42-0:4.2.25-1+tuxcare.els3.amd64", "product_id": "mongodb42-0:4.2.25-1+tuxcare.els3.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/mongodb42@4.2.25-1%2Btuxcare.els3?arch=amd64&os_name=debian&os_version=13" } } } ], "category": "architecture", "name": "amd64" }, { "branches": [ { "category": "product_version", "name": "mongodb42-server-0:4.2.25-1+tuxcare.els3.arm64", "product": { "name": "mongodb42-server-0:4.2.25-1+tuxcare.els3.arm64", "product_id": "mongodb42-server-0:4.2.25-1+tuxcare.els3.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/mongodb42-server@4.2.25-1%2Btuxcare.els3?arch=arm64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "mongodb42-shell-0:4.2.25-1+tuxcare.els3.arm64", "product": { "name": "mongodb42-shell-0:4.2.25-1+tuxcare.els3.arm64", "product_id": "mongodb42-shell-0:4.2.25-1+tuxcare.els3.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/mongodb42-shell@4.2.25-1%2Btuxcare.els3?arch=arm64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "mongodb42-mongos-0:4.2.25-1+tuxcare.els3.arm64", "product": { "name": "mongodb42-mongos-0:4.2.25-1+tuxcare.els3.arm64", "product_id": "mongodb42-mongos-0:4.2.25-1+tuxcare.els3.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/mongodb42-mongos@4.2.25-1%2Btuxcare.els3?arch=arm64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "mongodb42-0:4.2.25-1+tuxcare.els3.arm64", "product": { "name": "mongodb42-0:4.2.25-1+tuxcare.els3.arm64", "product_id": "mongodb42-0:4.2.25-1+tuxcare.els3.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/mongodb42@4.2.25-1%2Btuxcare.els3?arch=arm64&os_name=debian&os_version=13" } } } ], "category": "architecture", "name": "arm64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "mongodb42-server-0:4.2.25-1+tuxcare.els3.amd64 as a component of Debian 13", "product_id": "Debian-13:mongodb42-server-0:4.2.25-1+tuxcare.els3.amd64" }, "product_reference": "mongodb42-server-0:4.2.25-1+tuxcare.els3.amd64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb42-server-0:4.2.25-1+tuxcare.els3.arm64 as a component of Debian 13", "product_id": "Debian-13:mongodb42-server-0:4.2.25-1+tuxcare.els3.arm64" }, "product_reference": "mongodb42-server-0:4.2.25-1+tuxcare.els3.arm64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb42-shell-0:4.2.25-1+tuxcare.els3.amd64 as a component of Debian 13", "product_id": "Debian-13:mongodb42-shell-0:4.2.25-1+tuxcare.els3.amd64" }, "product_reference": "mongodb42-shell-0:4.2.25-1+tuxcare.els3.amd64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb42-shell-0:4.2.25-1+tuxcare.els3.arm64 as a component of Debian 13", "product_id": "Debian-13:mongodb42-shell-0:4.2.25-1+tuxcare.els3.arm64" }, "product_reference": "mongodb42-shell-0:4.2.25-1+tuxcare.els3.arm64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb42-mongos-0:4.2.25-1+tuxcare.els3.amd64 as a component of Debian 13", "product_id": "Debian-13:mongodb42-mongos-0:4.2.25-1+tuxcare.els3.amd64" }, "product_reference": "mongodb42-mongos-0:4.2.25-1+tuxcare.els3.amd64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb42-mongos-0:4.2.25-1+tuxcare.els3.arm64 as a component of Debian 13", "product_id": "Debian-13:mongodb42-mongos-0:4.2.25-1+tuxcare.els3.arm64" }, "product_reference": "mongodb42-mongos-0:4.2.25-1+tuxcare.els3.arm64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb42-0:4.2.25-1+tuxcare.els3.amd64 as a component of Debian 13", "product_id": "Debian-13:mongodb42-0:4.2.25-1+tuxcare.els3.amd64" }, "product_reference": "mongodb42-0:4.2.25-1+tuxcare.els3.amd64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb42-0:4.2.25-1+tuxcare.els3.arm64 as a component of Debian 13", "product_id": "Debian-13:mongodb42-0:4.2.25-1+tuxcare.els3.arm64" }, "product_reference": "mongodb42-0:4.2.25-1+tuxcare.els3.arm64", "relates_to_product_reference": "Debian-13" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-1351", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "notes": [ { "category": "description", "text": "Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-13:mongodb42-0:4.2.25-1+tuxcare.els3.amd64", "Debian-13:mongodb42-0:4.2.25-1+tuxcare.els3.arm64", "Debian-13:mongodb42-mongos-0:4.2.25-1+tuxcare.els3.amd64", "Debian-13:mongodb42-mongos-0:4.2.25-1+tuxcare.els3.arm64", "Debian-13:mongodb42-server-0:4.2.25-1+tuxcare.els3.amd64", "Debian-13:mongodb42-server-0:4.2.25-1+tuxcare.els3.arm64", "Debian-13:mongodb42-shell-0:4.2.25-1+tuxcare.els3.amd64", "Debian-13:mongodb42-shell-0:4.2.25-1+tuxcare.els3.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-docker/cve/CVE-2024-1351" }, { "category": "external", "summary": "https://jira.mongodb.org/browse/SERVER-72839", "url": "https://jira.mongodb.org/browse/SERVER-72839" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20240524-0010/", "url": "https://security.netapp.com/advisory/ntap-20240524-0010/" }, { "category": "external", "summary": "https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024", "url": "https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024" }, { "category": "external", "summary": "https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024", "url": "https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024" }, { "category": "external", "summary": "https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024", "url": "https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024" }, { "category": "external", "summary": "https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024", "url": "https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024" } ], "release_date": "2024-03-07T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-26T23:15:30.476833Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1774566928", "product_ids": [ "Debian-13:mongodb42-0:4.2.25-1+tuxcare.els3.amd64", "Debian-13:mongodb42-0:4.2.25-1+tuxcare.els3.arm64", "Debian-13:mongodb42-mongos-0:4.2.25-1+tuxcare.els3.amd64", "Debian-13:mongodb42-mongos-0:4.2.25-1+tuxcare.els3.arm64", "Debian-13:mongodb42-server-0:4.2.25-1+tuxcare.els3.amd64", "Debian-13:mongodb42-server-0:4.2.25-1+tuxcare.els3.arm64", "Debian-13:mongodb42-shell-0:4.2.25-1+tuxcare.els3.amd64", "Debian-13:mongodb42-shell-0:4.2.25-1+tuxcare.els3.arm64" ], "url": "https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1774566928" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Debian-13:mongodb42-0:4.2.25-1+tuxcare.els3.amd64", "Debian-13:mongodb42-0:4.2.25-1+tuxcare.els3.arm64", "Debian-13:mongodb42-mongos-0:4.2.25-1+tuxcare.els3.amd64", "Debian-13:mongodb42-mongos-0:4.2.25-1+tuxcare.els3.arm64", "Debian-13:mongodb42-server-0:4.2.25-1+tuxcare.els3.amd64", "Debian-13:mongodb42-server-0:4.2.25-1+tuxcare.els3.arm64", "Debian-13:mongodb42-shell-0:4.2.25-1+tuxcare.els3.amd64", "Debian-13:mongodb42-shell-0:4.2.25-1+tuxcare.els3.arm64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] } ] }