[SERVER-49142] Validate correct field name in RoleName::parseFromBSON() Created: 26/Jun/20  Updated: 29/Oct/23  Resolved: 26/Jun/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 3.6.0
Fix Version/s: 4.0.20, 3.6.19, 4.4.0-rc12, 4.2.9, 4.7.0

Type: Bug Priority: Major - P3
Reporter: Sara Golemon Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: neweng
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.4, v4.2, v4.0, v3.6
Sprint: Security 2020-06-29
Participants:
Case:

 Description   
CVE-2020-7925

Title: Denial of Service when processing malformed Role names

Description: Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9.

CVSS score: 7.5 using the following scoring metrics:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-475: Undefined Behavior for Input to API

Affected versions:

This issue affects - MongoDB Inc. MongoDB Server:

  • v4.4 versions prior to 4.4.0-rc12;
  • v4.2 versions prior to 4.2.9.

Due to a bug in the query planner it's possible to trip this invariant for certain types of queries.



 Comments   
Comment by Lucy Buckingham [ 02/Dec/20 ]

There is a mismatch between the versions described on the CVE and the Fix Versions on this Jira ticket. This is for the following reason:

In released versions of MongoDB 3.6, the code path reported in the CVE could never be triggered so the security vulnerability was never exposed in any versions prior to MongoDB 4.2. The vulnerability followed a code path only active in MongoDB 4.2.x and 4.4.x, but the security change was backported to all supported versions including 3.6 and 4.0. This was done to prevent the vulnerability being exposed in future if this code path was ever activated by another backport.

Comment by Githook User [ 29/Jun/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-49142 Validate correct field name in RoleName::parseFromBSON()

(cherry picked from commit e43e383fd690f8dd930c1e912853d7ad7e0248e9)
Branch: v3.6
https://github.com/mongodb/mongo/commit/8fbd1af03310704de68c22163900636f58f7eba8

Comment by Githook User [ 29/Jun/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-49142 Validate correct field name in RoleName::parseFromBSON()

(cherry picked from commit e43e383fd690f8dd930c1e912853d7ad7e0248e9)
Branch: v4.0
https://github.com/mongodb/mongo/commit/f3ae7de2c04819a1cd33205e802b19e86d227213

Comment by Githook User [ 29/Jun/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-49142 Validate correct field name in RoleName::parseFromBSON()

(cherry picked from commit e43e383fd690f8dd930c1e912853d7ad7e0248e9)
Branch: v4.2
https://github.com/mongodb/mongo/commit/9fff0f04f5b3e37502741c6f1c6674b1a5c10767

Comment by Githook User [ 29/Jun/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-49142 Test unexpected values in command.$audit

(cherry picked from commit 3901e0d8d9a821b2c045068fa505041cde25eb42)
Branch: v4.2
https://github.com/10gen/mongo-enterprise-modules/commit/6a5e48cb970c8974b14a71cc2fcc69ec62bd7e99

Comment by Githook User [ 26/Jun/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-49142 Validate correct field name in RoleName::parseFromBSON()

(cherry picked from commit e43e383fd690f8dd930c1e912853d7ad7e0248e9)
Branch: v4.4
https://github.com/mongodb/mongo/commit/feb50487c23cf6e61843ac6a0ed9ce0a92cd6f71

Comment by Githook User [ 26/Jun/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-49142 Test unexpected values in command.$audit

(cherry picked from commit 3901e0d8d9a821b2c045068fa505041cde25eb42)
Branch: v4.4
https://github.com/10gen/mongo-enterprise-modules/commit/7504c39e787d24dfaee1fe0ba45e331610dda0dc

Comment by Githook User [ 26/Jun/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-49142 Validate correct field name in RoleName::parseFromBSON()
Branch: master
https://github.com/mongodb/mongo/commit/c7f14b7be4a1f622fe81ef60f946a5aac17f3d0e

Comment by Githook User [ 26/Jun/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-49142 Test unexpected values in command.$audit
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/3901e0d8d9a821b2c045068fa505041cde25eb42

Generated at Thu Feb 08 05:19:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.