CVE-2021-32036
Published: 4 February 2022
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28
Notes
Author | Note |
---|---|
sbeattie | the `oidReset` command implementation has existed in a couple of different locations in mongodb history, in src/mongo/db/commands/generic.cpp during 3.6.x and src/mongo/db/dbcommands_generic.cpp in 2.x timeframe. All of those implementations of `oidReset` lack an authorization requirement. all of the upstream commits for this issue are on branches licensed under mongodb's SSPL, which makes backporting them to GNU Affero licensed versions problematic. |
Priority
Status
Package | Release | Status |
---|---|---|
mongodb Launchpad, Ubuntu, Debian |
bionic |
Needed
|
focal |
Needed
|
|
trusty |
Needed
|
|
upstream |
Released
(4.2.18, 4.4.10, 5.0.4, 5.1.0)
|
|
xenial |
Needs triage
|
|
Patches: upstream: https://github.com/mongodb/mongo/commit/9961fac1b2090484ec3ceaedc921ce2794e2fc79 upstream: https://github.com/mongodb/mongo/commit/d157291e03f8bcbaef497a78da93af1daae89fc4 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | Low |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |