CVE-2021-32036Allocation of Resources Without Limits or Throttling in Mongodb

CWE-770Allocation of Resources Without Limits or Throttling5 documents5 sources
Severity
7.1HIGHNVD
CNA5.4
EPSS
0.1%
top 65.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MongodbMongodb INC Mongodb Server
Timeline
PublishedFeb 4
Latest updateFeb 10

Description

An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

CVEListV5mongodb_inc/mongodb_server5.05.0.3+3
NVDmongodb/mongodb2.0.04.2.18+2

🔴Vulnerability Details

3
GHSA
GHSA-4wcp-phx2-2w2x: An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to res2022-02-10
CVEList
Denial of Service and Data Integrity vulnerability in features command2022-02-04
OSV
CVE-2021-32036: An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to res2022-02-04

📋Vendor Advisories

1
Red Hat
mongodb: Repeatedly invoking the features command at a high volume may lead to resource depletion2022-02-05
CVE-2021-32036 — Mongodb vulnerability | cvebase