CVE-2025-6707

Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5.

CVSS v3 4.2 MEDIUM

4.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://jira.mongodb.org/browse/SERVER-93497	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mongodb:mongodb:::::-:::*
	cpe:2.3:a:mongodb:mongodb:::::-:::*
	cpe:2.3:a:mongodb:mongodb:::::-:::*
	cpe:2.3:a:mongodb:mongodb:::::-:::*

History

15 Sep 2025, 14:24

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mongodb:mongodb:::::-:::*
First Time		Mongodb Mongodb mongodb
Summary		(es) En determinadas circunstancias, una solicitud de usuario autenticado podría ejecutarse con privilegios obsoletos tras un cambio intencionado por parte de un administrador autorizado. Este problema afecta a MongoDB Server v5.0 (versión anterior a la 5.0.31), MongoDB Server v6.0 (versión anterior a la 6.0.24), MongoDB Server v7.0 (versión anterior a la 7.0.21) y MongoDB Server v8.0 (versión anterior a la 8.0.5).
References	~~() https://jira.mongodb.org/browse/SERVER-93497 -~~	() https://jira.mongodb.org/browse/SERVER-93497 - Issue Tracking, Vendor Advisory

26 Jun 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-26 14:15

Updated : 2025-09-15 14:24

NVD link : CVE-2025-6707

Mitre link : CVE-2025-6707

CVE.ORG link : CVE-2025-6707

JSON object : View

Products Affected

mongodb

mongodb

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-6707", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@mongodb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2025-06-26T14:15:35.313", "references": [{"url": "https://jira.mongodb.org/browse/SERVER-93497", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "cna@mongodb.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cna@mongodb.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5."}, {"lang": "es", "value": "En determinadas circunstancias, una solicitud de usuario autenticado podr\u00eda ejecutarse con privilegios obsoletos tras un cambio intencionado por parte de un administrador autorizado. Este problema afecta a MongoDB Server v5.0 (versi\u00f3n anterior a la 5.0.31), MongoDB Server v6.0 (versi\u00f3n anterior a la 6.0.24), MongoDB Server v7.0 (versi\u00f3n anterior a la 7.0.21) y MongoDB Server v8.0 (versi\u00f3n anterior a la 8.0.5)."}], "lastModified": "2025-09-15T14:24:24.937", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "778BE562-0F98-4690-AFE2-1D8F32DBCFD4", "versionEndExcluding": "5.0.31", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "D7100BE5-A7C1-4BA0-825B-A98D64F75D2B", "versionEndExcluding": "6.0.24", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "1C059CAD-BB68-47C0-9ED2-FCC0ED428674", "versionEndExcluding": "7.0.21", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "564B8805-F93C-4F12-B29B-4EF3DD83CC9E", "versionEndExcluding": "8.0.5", "versionStartIncluding": "8.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cna@mongodb.com"}