[SERVER-63968] Prohibit enumeration of builtin roles on $external database Created: 24/Feb/22  Updated: 29/Oct/23  Resolved: 27/Feb/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 6.0.0-rc0, 5.0.7, 5.3.0-rc2, 5.2.2

Type: Bug Priority: Major - P3
Reporter: Sara Golemon Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Backwards Compatibility: Minor Change
Operating System: ALL
Backport Requested:
v5.3, v5.2, v5.0
Sprint: Security 2022-03-07
Participants:

 Description   
CVE-2022-24272

Title
MongoDB Server (mongod) may crash in response to unexpected requests

CVE ID
CVE-2022-24272

Description

An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.

CVSS score

This issue's CVSS:3.1 severity is scored at 6.5 using the following scoring metrics:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected versions
MongoDB Server v5.0.0 and later

CWE

CWE-617: Reachable Assertion

Underlying operating systems affected
ALL

How the issue was reported:
Internally

External Reference link (server ticket)
SERVER-63968



 Comments   
Comment by Githook User [ 01/Mar/22 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-63968 Use multiversion_incompatible tag instead of requires_fcv

(cherry picked from commit 09a976d1778d05588d0032930658eae3901125f8)
Branch: v5.2
https://github.com/mongodb/mongo/commit/5ead63b5661c2becde994b9dc47eba623e826579

Comment by Githook User [ 01/Mar/22 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-63968 Use multiversion_incompatible tag instead of requires_fcv
Branch: v5.3
https://github.com/mongodb/mongo/commit/09a976d1778d05588d0032930658eae3901125f8

Comment by Githook User [ 28/Feb/22 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-63968 Prohibit ennumeration of builtin roles on $external database

(cherry picked from commit 59df956365a44cc63e2d3c55d1734ee960891a8b)
Branch: v5.3
https://github.com/mongodb/mongo/commit/7584bddbd31e6d803ffd950e134390e97ba25f84

Comment by Githook User [ 28/Feb/22 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-63968 Prohibit ennumeration of builtin roles on $external database

(cherry picked from commit 59df956365a44cc63e2d3c55d1734ee960891a8b)
Branch: v5.2
https://github.com/mongodb/mongo/commit/85f33bb1a0756c89e0ce8b00599525be381d8e9f

Comment by Githook User [ 28/Feb/22 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-63968 Prohibit ennumeration of builtin roles on $external database

(cherry picked from commit 59df956365a44cc63e2d3c55d1734ee960891a8b)
Branch: v5.0
https://github.com/mongodb/mongo/commit/d3b28ca11dfa873b91771b29693f67df384e76ad

Comment by Githook User [ 27/Feb/22 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-63968 Prohibit ennumeration of builtin roles on $external database
Branch: master
https://github.com/mongodb/mongo/commit/59df956365a44cc63e2d3c55d1734ee960891a8b

Generated at Thu Feb 08 05:59:08 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.