Lucene search

MongoDBMONGODB:CVE-2024-6375

HistoryJul 01, 2024 - 2:40 p.m.

Missing authorization check may lead to shard key refinement

2024-07-0114:40:00

www.mongodb.com

mongodb

authorization check

shard key

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

6.9 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.

CPENameOperatorVersion
mongodb serverlt5.0.22
mongodb serverlt6.0.11
mongodb serverlt7.0.3

Name	Operator	Version
mongodb server	lt	5.0.22
mongodb server	lt	6.0.11
mongodb server	lt	7.0.3

References

jira.mongodb.org/browse/SERVER-79327

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

6.9 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for MONGODB:CVE-2024-6375