Lucene search

MongoDBMONGODB:CVE-2024-3372

HistoryMay 14, 2024 - 2:56 p.m.

MongoDB Server may have unexpected application behaviour due to invalid BSON

2024-05-1414:56:00

www.mongodb.com

mongodb

server

application behaviour

invalid bson

metadata

serialising

pre-authentication

unexpected

unavailability

serverstatus

v7.0

v6.0

v5.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25.

CPENameOperatorVersion
mongodb serverlt5.0.25
mongodb serverlt6.0.14
mongodb serverlt7.0.6

Name	Operator	Version
mongodb server	lt	5.0.25
mongodb server	lt	6.0.14
mongodb server	lt	7.0.6

References

jira.mongodb.org/browse/SERVER-85263

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for MONGODB:CVE-2024-3372