CVE-2021-20330
published 2021-12-15CVE-2021-20330: An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a…
PriorityP432medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.04%
59.6th percentile
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | mongodb | >= 4.0.0 < 4.0.25 | 4.0.25 |
| mongodb | mongodb | >= 4.2.0 < 4.2.14 | 4.2.14 |
| mongodb | mongodb | >= 4.4.0 < 4.4.6 | 4.4.6 |
| mongodb_inc | mongodb_server | >= 4.0 < 4.0.27 | 4.0.27 |
| mongodb_inc | mongodb_server | >= 4.2 < 4.2.16 | 4.2.16 |
| mongodb_inc | mongodb_server | >= 4.4 < 4.4.9 | 4.4.9 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mongodb: specific replication command with malformed oplog entries can crash secondaries
vendor_redhat·2021-12-15·CVSS 6.5
CVE-2021-20330 [MEDIUM] CWE-20 mongodb: specific replication command with malformed oplog entries can crash secondaries
mongodb: specific replication command with malformed oplog entries can crash secondaries
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.
A denial of service attack was found in MongoDB. An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries.
Package: mongodb (Red Hat Update Infrastructure 3 for Cloud Providers) - Will not fix
GHSA
GHSA-8jvf-jqg4-r6h2: An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a
ghsa_unreviewed·2021-12-16
CVE-2021-20330 [MEDIUM] CWE-20 GHSA-8jvf-jqg4-r6h2: An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to 4.2.14; MongoDB Server v4.4 versions prior to 4.4.6.
OSV
CVE-2021-20330: An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a
osv·2021-12-15·CVSS 6.5
CVE-2021-20330 [MEDIUM] CVE-2021-20330: An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-12-15
Published