cbcvebase.
CVE-2021-32036
published 2022-02-04

CVE-2021-32036: An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource…

PriorityP336high7.1CVSS 3.1
AVNACLPRLUINSUCNILAH
EPSS
1.03%
59.5th percentile
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28

Affected

7 ranges
VendorProductVersion rangeFixed in
mongodbmongodb>= 2.0.0 < 4.2.184.2.18
mongodbmongodb>= 4.4.0 < 4.4.104.4.10
mongodbmongodb>= 5.0.0 < 5.0.45.0.4
mongodb_incmongodb_server4.0 – 4.0.28
mongodb_incmongodb_server4.2 – 4.2.16
mongodb_incmongodb_server4.4 – 4.4.9
mongodb_incmongodb_server5.0 – 5.0.3

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:P
osv7.1HIGH
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.