Search criteria
2 vulnerabilities found for MongoDB Connector for BI by MongoDB Inc
CVE-2025-11535 (GCVE-0-2025-11535)
Vulnerability from cvelistv5 – Published: 2025-10-08 22:07 – Updated: 2025-10-10 03:55
VLAI?
Title
MongoDB Connector for BI installation MSI leave ACLs unset on custom installation directories
Summary
MongoDB Connector for BI installation via MSI on Windows leaves ACLs unset on custom install directories allows Privilege Escalation.This issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Connector for BI |
Affected:
2.0.0 , ≤ 2.14.24
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T03:55:24.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "MongoDB Connector for BI",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThanOrEqual": "2.14.24",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-10-08T21:26:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MongoDB Connector for BI installation via\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMSI\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eon Windows \u003c/span\u003eleaves ACLs unset on custom install directories allows Privilege Escalation.\u003cp\u003eThis issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24.\u003c/p\u003e"
}
],
"value": "MongoDB Connector for BI installation via\u00a0MSI\u00a0on Windows leaves ACLs unset on custom install directories allows Privilege Escalation.This issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T22:07:18.498Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://www.mongodb.com/docs/bi-connector/current/release-notes/#bi-2.14.25"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MongoDB Connector for BI installation MSI leave ACLs unset on custom installation directories",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-11535",
"datePublished": "2025-10-08T22:07:18.498Z",
"dateReserved": "2025-10-08T21:16:03.837Z",
"dateUpdated": "2025-10-10T03:55:24.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11535 (GCVE-0-2025-11535)
Vulnerability from nvd – Published: 2025-10-08 22:07 – Updated: 2025-10-10 03:55
VLAI?
Title
MongoDB Connector for BI installation MSI leave ACLs unset on custom installation directories
Summary
MongoDB Connector for BI installation via MSI on Windows leaves ACLs unset on custom install directories allows Privilege Escalation.This issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Connector for BI |
Affected:
2.0.0 , ≤ 2.14.24
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T03:55:24.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "MongoDB Connector for BI",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThanOrEqual": "2.14.24",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-10-08T21:26:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MongoDB Connector for BI installation via\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMSI\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eon Windows \u003c/span\u003eleaves ACLs unset on custom install directories allows Privilege Escalation.\u003cp\u003eThis issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24.\u003c/p\u003e"
}
],
"value": "MongoDB Connector for BI installation via\u00a0MSI\u00a0on Windows leaves ACLs unset on custom install directories allows Privilege Escalation.This issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T22:07:18.498Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://www.mongodb.com/docs/bi-connector/current/release-notes/#bi-2.14.25"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MongoDB Connector for BI installation MSI leave ACLs unset on custom installation directories",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-11535",
"datePublished": "2025-10-08T22:07:18.498Z",
"dateReserved": "2025-10-08T21:16:03.837Z",
"dateUpdated": "2025-10-10T03:55:24.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}