Lucene search

PRIOn knowledge basePRION:CVE-2021-32040

HistoryApr 12, 2022 - 3:15 p.m.

Stack overflow

2022-04-1215:15:00

PRIOn knowledge base

www.prio-n.com

7.5 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.8%

JSON

It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16.

Workaround: >= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash.

CPENameOperatorVersion
mongodbge5.0.0
mongodblt5.0.4
mongodbge4.4.0
mongodblt4.4.11
mongodbge4.2.0
mongodblt4.2.16

Name	Operator	Version
mongodb	ge	5.0.0
mongodb	lt	5.0.4
mongodb	ge	4.4.0
mongodb	lt	4.4.11
mongodb	ge	4.2.0
mongodb	lt	4.2.16

References

jira.mongodb.org/browse/SERVER-58203

jira.mongodb.org/browse/SERVER-59299

jira.mongodb.org/browse/SERVER-60218

security.netapp.com/advisory/ntap-20220609-0005/