<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 05:59:08 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-63968] Prohibit enumeration of builtin roles on $external database</title>
                <link>https://jira.mongodb.org/browse/SERVER-63968</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;div class=&quot;panel&quot; style=&quot;background-color: #eeeeee;border-color: #cccccc;border-width: 1px;&quot;&gt;&lt;div class=&quot;panelHeader&quot; style=&quot;border-bottom-width: 1px;border-bottom-color: #cccccc;background-color: #6cb33f;&quot;&gt;&lt;b&gt;CVE-2022-24272&lt;/b&gt;&lt;/div&gt;&lt;div class=&quot;panelContent&quot; style=&quot;background-color: #eeeeee;&quot;&gt;
&lt;p&gt;&lt;b&gt;Title&lt;/b&gt; &lt;br/&gt;
 MongoDB Server (mongod) may crash in response to unexpected requests&lt;/p&gt;

&lt;p&gt;&lt;b&gt;CVE ID&lt;/b&gt;&lt;br/&gt;
 CVE-2022-24272&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Description&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This&#160;may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;CVSS score&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;This issue&apos;s CVSS:3.1 severity is scored at 6.5 using the following scoring metrics:&lt;br/&gt;
 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Affected versions&lt;/b&gt;&lt;br/&gt;
 MongoDB Server v5.0.0 and later&lt;/p&gt;

&lt;p&gt;&lt;b&gt;CWE&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;CWE-617: Reachable Assertion&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Underlying operating systems affected&lt;/b&gt;&lt;br/&gt;
 ALL&lt;/p&gt;

&lt;p&gt;&lt;b&gt;How the issue was reported&lt;/b&gt;: &lt;br/&gt;
 Internally&lt;/p&gt;

&lt;p&gt;&lt;b&gt;External Reference link (server ticket)&lt;/b&gt; &lt;br/&gt;
 &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-63968&quot; title=&quot;Prohibit enumeration of builtin roles on $external database&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-63968&quot;&gt;&lt;del&gt;SERVER-63968&lt;/del&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/div&gt;&lt;/div&gt;</description>
                <environment></environment>
        <key id="1989672">SERVER-63968</key>
            <summary>Prohibit enumeration of builtin roles on $external database</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="sara.golemon@mongodb.com">Sara Golemon</assignee>
                                    <reporter username="sara.golemon@mongodb.com">Sara Golemon</reporter>
                        <labels>
                    </labels>
                <created>Thu, 24 Feb 2022 16:15:49 +0000</created>
                <updated>Sun, 29 Oct 2023 21:42:00 +0000</updated>
                            <resolved>Sun, 27 Feb 2022 14:20:01 +0000</resolved>
                                                    <fixVersion>6.0.0-rc0</fixVersion>
                    <fixVersion>5.0.7</fixVersion>
                    <fixVersion>5.3.0-rc2</fixVersion>
                    <fixVersion>5.2.2</fixVersion>
                                                        <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="4384153" author="xgen-internal-githook" created="Tue, 1 Mar 2022 18:12:49 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Sara Golemon&apos;, &apos;email&apos;: &apos;sara.golemon@mongodb.com&apos;, &apos;username&apos;: &apos;sgolemon&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-63968&quot; title=&quot;Prohibit enumeration of builtin roles on $external database&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-63968&quot;&gt;&lt;del&gt;SERVER-63968&lt;/del&gt;&lt;/a&gt; Use multiversion_incompatible tag instead of requires_fcv&lt;/p&gt;

&lt;p&gt;(cherry picked from commit 09a976d1778d05588d0032930658eae3901125f8)&lt;br/&gt;
Branch: v5.2&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/5ead63b5661c2becde994b9dc47eba623e826579&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/5ead63b5661c2becde994b9dc47eba623e826579&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="4384053" author="xgen-internal-githook" created="Tue, 1 Mar 2022 17:40:01 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Sara Golemon&apos;, &apos;email&apos;: &apos;sara.golemon@mongodb.com&apos;, &apos;username&apos;: &apos;sgolemon&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-63968&quot; title=&quot;Prohibit enumeration of builtin roles on $external database&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-63968&quot;&gt;&lt;del&gt;SERVER-63968&lt;/del&gt;&lt;/a&gt; Use multiversion_incompatible tag instead of requires_fcv&lt;br/&gt;
Branch: v5.3&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/09a976d1778d05588d0032930658eae3901125f8&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/09a976d1778d05588d0032930658eae3901125f8&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="4382241" author="xgen-internal-githook" created="Mon, 28 Feb 2022 23:25:59 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Sara Golemon&apos;, &apos;email&apos;: &apos;sara.golemon@mongodb.com&apos;, &apos;username&apos;: &apos;sgolemon&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-63968&quot; title=&quot;Prohibit enumeration of builtin roles on $external database&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-63968&quot;&gt;&lt;del&gt;SERVER-63968&lt;/del&gt;&lt;/a&gt; Prohibit ennumeration of builtin roles on $external database&lt;/p&gt;

&lt;p&gt;(cherry picked from commit 59df956365a44cc63e2d3c55d1734ee960891a8b)&lt;br/&gt;
Branch: v5.3&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/7584bddbd31e6d803ffd950e134390e97ba25f84&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/7584bddbd31e6d803ffd950e134390e97ba25f84&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="4382239" author="xgen-internal-githook" created="Mon, 28 Feb 2022 23:24:50 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Sara Golemon&apos;, &apos;email&apos;: &apos;sara.golemon@mongodb.com&apos;, &apos;username&apos;: &apos;sgolemon&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-63968&quot; title=&quot;Prohibit enumeration of builtin roles on $external database&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-63968&quot;&gt;&lt;del&gt;SERVER-63968&lt;/del&gt;&lt;/a&gt; Prohibit ennumeration of builtin roles on $external database&lt;/p&gt;

&lt;p&gt;(cherry picked from commit 59df956365a44cc63e2d3c55d1734ee960891a8b)&lt;br/&gt;
Branch: v5.2&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/85f33bb1a0756c89e0ce8b00599525be381d8e9f&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/85f33bb1a0756c89e0ce8b00599525be381d8e9f&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="4382232" author="xgen-internal-githook" created="Mon, 28 Feb 2022 23:20:58 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Sara Golemon&apos;, &apos;email&apos;: &apos;sara.golemon@mongodb.com&apos;, &apos;username&apos;: &apos;sgolemon&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-63968&quot; title=&quot;Prohibit enumeration of builtin roles on $external database&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-63968&quot;&gt;&lt;del&gt;SERVER-63968&lt;/del&gt;&lt;/a&gt; Prohibit ennumeration of builtin roles on $external database&lt;/p&gt;

&lt;p&gt;(cherry picked from commit 59df956365a44cc63e2d3c55d1734ee960891a8b)&lt;br/&gt;
Branch: v5.0&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/d3b28ca11dfa873b91771b29693f67df384e76ad&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/d3b28ca11dfa873b91771b29693f67df384e76ad&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="4379000" author="xgen-internal-githook" created="Sun, 27 Feb 2022 05:39:23 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Sara Golemon&apos;, &apos;email&apos;: &apos;sara.golemon@mongodb.com&apos;, &apos;username&apos;: &apos;sgolemon&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-63968&quot; title=&quot;Prohibit enumeration of builtin roles on $external database&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-63968&quot;&gt;&lt;del&gt;SERVER-63968&lt;/del&gt;&lt;/a&gt; Prohibit ennumeration of builtin roles on $external database&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/59df956365a44cc63e2d3c55d1734ee960891a8b&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/59df956365a44cc63e2d3c55d1734ee960891a8b&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10420">
                    <name>Backports</name>
                                            <outwardlinks description="backported by">
                                                        </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>6.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_12450" key="com.atlassian.jira.plugin.system.customfieldtypes:multicheckboxes">
                        <customfieldname>Backport Requested</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="23140"><![CDATA[v5.3]]></customfieldvalue>
    <customfieldvalue key="22676"><![CDATA[v5.2]]></customfieldvalue>
    <customfieldvalue key="21777"><![CDATA[v5.0]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10011"><![CDATA[Minor Change]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 24 Feb 2022 16:55:59 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        1 year, 49 weeks, 1 day ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_17050" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Downstream Team Attention</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="16941"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.bonanomi@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            1 year, 49 weeks, 1 day ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>xgen-internal-githook</customfieldvalue>
            <customfieldvalue>sara.golemon@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i0l8r3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|i04ask:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="5702">Security 2022-03-07</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i0kuwf:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>