Lucene search

MongoDBMONGODB:CVE-2021-32036

HistoryFeb 04, 2022 - 5:38 p.m.

Denial of Service and Data Integrity vulnerability in features command

2022-02-0417:38:00

www.mongodb.com

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

0.001 Low

EPSS

Percentile

29.8%

JSON

An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions.

CPENameOperatorVersion
mongodb serverle5.0.3
mongodb serverle4.4.9
mongodb serverle4.2.16
mongodb serverle4.0.28

Name	Operator	Version
mongodb server	le	5.0.3
mongodb server	le	4.4.9
mongodb server	le	4.2.16
mongodb server	le	4.0.28

References

jira.mongodb.org/browse/SERVER-59294

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

0.001 Low

EPSS

Percentile

29.8%

JSON

Related for MONGODB:CVE-2021-32036