CVE-2021-32036
published 2022-02-04CVE-2021-32036: An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource…
PriorityP336high7.1CVSS 3.1
AVNACLPRLUINSUCNILAH
EPSS
1.03%
59.5th percentile
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | mongodb | >= 2.0.0 < 4.2.18 | 4.2.18 |
| mongodb | mongodb | >= 4.4.0 < 4.4.10 | 4.4.10 |
| mongodb | mongodb | >= 5.0.0 < 5.0.4 | 5.0.4 |
| mongodb_inc | mongodb_server | 4.0 – 4.0.28 | — |
| mongodb_inc | mongodb_server | 4.2 – 4.2.16 | — |
| mongodb_inc | mongodb_server | 4.4 – 4.4.9 | — |
| mongodb_inc | mongodb_server | 5.0 – 5.0.3 | — |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:P
osv7.1HIGH
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4wcp-phx2-2w2x: An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to res
ghsa_unreviewed·2022-02-10
CVE-2021-32036 [HIGH] CWE-770 GHSA-4wcp-phx2-2w2x: An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to res
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions.
OSV
CVE-2021-32036: An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to res
osv·2022-02-04·CVSS 7.1
CVE-2021-32036 [HIGH] CVE-2021-32036: An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to res
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28
Red Hat
mongodb: Repeatedly invoking the features command at a high volume may lead to resource depletion
vendor_redhat·2022-02-05·CVSS 5.4
CVE-2021-32036 [MEDIUM] CWE-770 mongodb: Repeatedly invoking the features command at a high volume may lead to resource depletion
mongodb: Repeatedly invoking the features command at a high volume may lead to resource depletion
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28
A flaw was found in the MongoDB database when repeatedly invoking the features command. This flaw allows an authenticated attacker without any specif
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-04
Published