IBM50B8B48E45BDFEF21AC445DC1192A43139792B353C999CCBEC412CE89438D42CSecurity Bulletin: Vulnerabilities in MongoDB might affect IBM Storage Copy Data Management
5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:P/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.9 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
70.9%
Summary
IBM Storage Copy Data Management can be affected by vulnerabilities in MongoDB. A remote authenticated attacker could exploit these vulnerabilities to cause the application to crash, to cause a resource depletion or generate high lock contention and result in a denial of service condition, to obtain sensitive information and use this information to launch further attacks against the affected system as described by the CVEs in the “Vulnerability Details” section
Vulnerability Details
CVEID:CVE-2021-32036
**DESCRIPTION:**MongoDB is vulnerable to a denial of service, caused by improper authorizations validation. By sending a specially-crafted request to repeatedly invoke the features command, a remote authenticated attacker could exploit this vulnerability to cause a resource depletion or generate high lock contention, and results in a denial of service condition.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220357 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)
CVEID:CVE-2021-32040
**DESCRIPTION:**MongoDB is vulnerable to a denial of service, caused by a stack-based overflow flaw during a long aggregation pipeline in conjunction with a specific stage/operator. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a the application to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225119 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-1409
**DESCRIPTION:**MongoDB could allow a remote attacker to obtain sensitive information, caused by a flaw when configured to use TLS with a specific set of configuration options. By persuading a victim to connect to a specially crafted server, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264345 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Storage Copy Data Management | 2.2.0.0 - 2.2.22.1 |
Remediation/Fixes
Affected Versions|**Fixing
**Level|Platform|**Link to Fix and Instructions
**
—|—|—|—
2.2.0.0 - 2.2.22.1| 2.2.23.0| Linux| ** **<https://www.ibm.com/support/pages/node/7116233>
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm storage copy data management | eq | 2.2 |
Related
5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:P/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.9 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
70.9%