Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-59294

Check action type for oidReset

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 4.2.18, 4.4.10, 5.0.4, 5.1.0-rc0
    • None
    • None
    • Fully Compatible
    • ALL
    • v5.0, v4.4, v4.2, v4.0, v3.6
    • Security 2021-09-20, Security 2021-10-04

    Description

      CVE-2021-32036

      Title
      Denial of Service and Data Integrity vulnerability in features command

      CVE ID
      CVE-2021-32036

      Description

      An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions.

      CVSS score
      This issue's CVSS:3.1 severity is scored at 5.4 using the following scoring metrics:
      CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

      Affected versions
      MongoDB Server v5.0.0-v5.0.3, v4.4.0-v4.4.9, v4.2.0-v4.2.16, and all prior versions going back to v4.0.28

      CWE
      CWE-770: Allocation of Resources Without Limits or Throttling

      Underlying operating systems affected
      ALL

      How the issue was reported:
      Internally

      External Reference link (server ticket)
      SERVER-59294 

      Attachments

        Issue Links

          Activity

            People

              erwin.pe@mongodb.com Erwin Pe
              sara.golemon@mongodb.com Sara Golemon
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: