CVE-2024-10921Improper Neutralization of Null Byte or NUL Character in INC Mongodb Server

CWE-158Improper Neutralization of Null Byte or NUL Character4 documents4 sources
Severity
8.1HIGHNVD
CNA6.8
EPSS
0.5%
top 32.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC Mongodb ServerMongodb
Timeline
PublishedNov 14

Description

An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

CVEListV5mongodb_inc/mongodb_server5.05.0.30+3
NVDmongodb/mongodb5.0.05.0.30+3

🔴Vulnerability Details

3
CVEList
Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server2024-11-14
GHSA
GHSA-rvjg-858g-pwh4: An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that constr2024-11-14
OSV
CVE-2024-10921: An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that constr2024-11-14
CVE-2024-10921 — INC Mongodb Server vulnerability | cvebase