CVE-2024-1351: 
MongoDB vulnerability analysis and mitigation

MongoDB Server versions prior to 7.0.6, 6.0.14, 5.0.24, and 4.4.28 contain a vulnerability (CVE-2024-1351) where under certain configurations of --tlsCAFile and CAFile, the server may skip peer certificate validation which may result in untrusted connections to succeed (MongoDB Docs, NetApp Advisory).

The vulnerability has a CVSS v3 score of 8.8 (HIGH) with vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper certificate validation (CWE-295) which effectively reduces the security guarantees provided by TLS and allows connections that should have been closed due to failing certificate validation (NetApp Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability may effectively reduce the security guarantees provided by TLS by allowing untrusted connections that should have been rejected (NetApp Advisory).

The vulnerability has been fixed in MongoDB versions 7.0.6, 6.0.14, 5.0.24, and 4.4.28. Users should upgrade to these or later versions to address the vulnerability. No workarounds are available at this time (MongoDB Docs).