[SERVER-49142] Validate correct field name in RoleName::parseFromBSON() Created: 26/Jun/20 Updated: 29/Oct/23 Resolved: 26/Jun/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 3.6.0 |
| Fix Version/s: | 4.0.20, 3.6.19, 4.4.0-rc12, 4.2.9, 4.7.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Sara Golemon | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | neweng | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Operating System: | ALL | ||||||||||||
| Backport Requested: |
v4.4, v4.2, v4.0, v3.6
|
||||||||||||
| Sprint: | Security 2020-06-29 | ||||||||||||
| Participants: | |||||||||||||
| Case: | (copied to CRM) | ||||||||||||
| Description |
|
CVE-2020-7925 Title: Denial of Service when processing malformed Role names Description: Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9. CVSS score: 7.5 using the following scoring metrics: CWE: CWE-475: Undefined Behavior for Input to API Affected versions: This issue affects - MongoDB Inc. MongoDB Server:
— Due to a bug in the query planner it's possible to trip this invariant for certain types of queries. |
| Comments |
| Comment by Lucy Buckingham [ 02/Dec/20 ] |
|
There is a mismatch between the versions described on the CVE and the Fix Versions on this Jira ticket. This is for the following reason: In released versions of MongoDB 3.6, the code path reported in the CVE could never be triggered so the security vulnerability was never exposed in any versions prior to MongoDB 4.2. The vulnerability followed a code path only active in MongoDB 4.2.x and 4.4.x, but the security change was backported to all supported versions including 3.6 and 4.0. This was done to prevent the vulnerability being exposed in future if this code path was ever activated by another backport. |
| Comment by Githook User [ 29/Jun/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit e43e383fd690f8dd930c1e912853d7ad7e0248e9) |
| Comment by Githook User [ 29/Jun/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit e43e383fd690f8dd930c1e912853d7ad7e0248e9) |
| Comment by Githook User [ 29/Jun/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit e43e383fd690f8dd930c1e912853d7ad7e0248e9) |
| Comment by Githook User [ 29/Jun/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit 3901e0d8d9a821b2c045068fa505041cde25eb42) |
| Comment by Githook User [ 26/Jun/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit e43e383fd690f8dd930c1e912853d7ad7e0248e9) |
| Comment by Githook User [ 26/Jun/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit 3901e0d8d9a821b2c045068fa505041cde25eb42) |
| Comment by Githook User [ 26/Jun/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: |
| Comment by Githook User [ 26/Jun/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: |