CVE-2022-24272 — Reachable Assertion in INC Mongodb Server

CWE-617 — Reachable Assertion5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 35.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedApr 21

Latest updateApr 22

Description

An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5mongodb_inc/mongodb_server5.0 — 5.0.6

▶NVDmongodb/mongodb5.0.0 — 5.0.6

Patches

Patch: jira.mongodb.org ↗Patch: jira.mongodb.org ↗

🔴Vulnerability Details

GHSA

GHSA-pg6q-x7mh-7cg2: An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database↗2022-04-22

▶

CVEList

MongoDB Server (mongod) may crash in response to unexpected requests↗2022-04-21

▶

OSV

CVE-2022-24272: An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database↗2022-04-21

▶

📋Vendor Advisories

Red Hat

mongodb: authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database↗2022-04-21

▶