CVE-2024-6375 — Improper Authorization in INC Mongodb Server

CWE-285 — Improper Authorization CWE-862 — Missing Authorization4 documents4 sources

Severity

6.5MEDIUMNVD

CNA5.4

EPSS

0.3%

top 46.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedJul 1

Description

A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5mongodb_inc/mongodb_server5.0 — 5.0.22+2

▶NVDmongodb/mongodb5.0.0 — 5.0.22+2

Patches

Patch: jira.mongodb.org ↗Patch: jira.mongodb.org ↗

🔴Vulnerability Details

GHSA

GHSA-85f9-vc47-9pr8: A command for refining a collection shard key is missing an authorization check↗2024-07-01

▶

CVEList

Missing authorization check may lead to shard key refinement↗2024-07-01

▶

OSV

CVE-2024-6375: A command for refining a collection shard key is missing an authorization check↗2024-07-01

▶