CVE-2023-4009: 
MongoDB Ops Manager vulnerability analysis and mitigation

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17, a privilege escalation vulnerability was discovered. The vulnerability, tracked as CVE-2023-4009, allows authenticated users with project owner or project user admin access to generate an API key with organization owner privileges (MongoDB Release Notes, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. It is categorized under CWE-269 (Improper Privilege Management) and CWE-648 (Incorrect Use of Privileged APIs). The vulnerability specifically involves the API key generation mechanism where project-level privileges could be escalated to organization-level access (NVD, NetApp Advisory).

Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, modification of data, and potential Denial of Service (DoS). The vulnerability allows project-level users to gain organization-level privileges, effectively bypassing intended access control mechanisms (NetApp Advisory).

MongoDB has released patches to address this vulnerability. Users should upgrade to MongoDB Ops Manager v5.0.22 or later for v5.0 installations, or v6.0.17 or later for v6.0 installations. These updates include fixes for the privilege escalation vulnerability (MongoDB Release Notes).