CVE-2021-20330 — Improper Input Validation in INC Mongodb Server

CWE-20 — Improper Input Validation5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 40.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedDec 15

Latest updateDec 16

Description

An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5mongodb_inc/mongodb_server4.0 — 4.0.27+2

▶NVDmongodb/mongodb4.0.0 — 4.0.25+2

Patches

Patch: jira.mongodb.org ↗Patch: jira.mongodb.org ↗

🔴Vulnerability Details

GHSA

GHSA-8jvf-jqg4-r6h2: An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a↗2021-12-16

▶

CVEList

Specific replication command with malformed oplog entries can crash secondaries↗2021-12-15

▶

OSV

CVE-2021-20330: An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a↗2021-12-15

▶

📋Vendor Advisories

Red Hat

mongodb: specific replication command with malformed oplog entries can crash secondaries↗2021-12-15

▶