Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-59294

Check action type for oidReset

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.2.18, 4.4.10, 5.0.4, 5.1.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Fully Compatible
    • ALL
    • v5.0, v4.4, v4.2, v4.0, v3.6
    • Security 2021-09-20, Security 2021-10-04

      CVE-2021-32036

      Title
      Denial of Service and Data Integrity vulnerability in features command

      CVE ID
      CVE-2021-32036

      Description

      An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions.

      CVSS score
      This issue's CVSS:3.1 severity is scored at 5.4 using the following scoring metrics:
      CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

      Affected versions
      MongoDB Server v5.0.0-v5.0.3, v4.4.0-v4.4.9, v4.2.0-v4.2.16, and all prior versions going back to v4.0.28

      CWE
      CWE-770: Allocation of Resources Without Limits or Throttling

      Underlying operating systems affected
      ALL

      How the issue was reported:
      Internally

      External Reference link (server ticket)
      SERVER-59294 

            Assignee:
            erwin.pe@mongodb.com Erwin Pe
            Reporter:
            sara.golemon@mongodb.com Sara Golemon
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: