Move user cache invalidation from OpObserver to onCommit handlers

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Major - P3
    • 8.1.0-rc0, 5.0.31, 8.0.5, 6.0.24, 7.0.21
    • Affects Version/s: None
    • Component/s: None
    • None
    • Server Security
    • Fully Compatible
    • ALL
    • v8.0, v7.3, v7.0, v6.0, v5.0
    • Security 2024-08-19
    • 0
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None

      CVE ID:

      CVE-2025-6707

      Title:

      Race condition in privilege cache invalidation cycle

      Description:

      Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5.

      CVSS Score:

      4.2 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

      List all affected product versions:

      MongoDB Server v5.0 version prior to 5.0.31

      MongoDB Server v6.0 version prior to 6.0.24

      MongoDB Server v7.0 version prior to 7.0.21
      MongoDB Server v8.0 version prior to 8.0.5

      CWE:

      CWE-863: Incorrect Authorization

            Assignee:
            Gabriel Marks
            Reporter:
            Gabriel Marks
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: