Description
We have recently identified and addressed a significant security vulnerability concerning an authorization bypass that allows an attacker to issue an integration removal request by obtaining the internal _id of MongoDB. And issuing an unauthorized DELETE command to delete this integration.
The issue was ethically discovered, and a hotfix was released in a 2-hour window of disclosure. System logs have been monitored to ensure no enumeration attempts have been made.
Patches
The version was patched on our cloud offering immediately, and a patched v0.20.0 docker image of the API was released immediately.
Credit
Sumit Sahoo - https://www.sumitsahoo.com/
Description
We have recently identified and addressed a significant security vulnerability concerning an authorization bypass that allows an attacker to issue an integration removal request by obtaining the internal _id of MongoDB. And issuing an unauthorized DELETE command to delete this integration.
The issue was ethically discovered, and a hotfix was released in a 2-hour window of disclosure. System logs have been monitored to ensure no enumeration attempts have been made.
Patches
The version was patched on our cloud offering immediately, and a patched
v0.20.0docker image of the API was released immediately.Credit
Sumit Sahoo - https://www.sumitsahoo.com/