Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-63968

Prohibit enumeration of builtin roles on $external database

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 6.0.0-rc0, 5.0.7, 5.2.2, 5.3.0-rc2
    • None
    • None
    • Minor Change
    • ALL
    • v5.3, v5.2, v5.0
    • Security 2022-03-07

    Description

      CVE-2022-24272

      Title
      MongoDB Server (mongod) may crash in response to unexpected requests

      CVE ID
      CVE-2022-24272

      Description

      An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.

      CVSS score

      This issue's CVSS:3.1 severity is scored at 6.5 using the following scoring metrics:
      CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

      Affected versions
      MongoDB Server v5.0.0 and later

      CWE

      CWE-617: Reachable Assertion

      Underlying operating systems affected
      ALL

      How the issue was reported:
      Internally

      External Reference link (server ticket)
      SERVER-63968

      Attachments

        Activity

          People

            sara.golemon@mongodb.com Sara Golemon
            sara.golemon@mongodb.com Sara Golemon
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: