CVE-2021-32036

Denial of Service and Data Integrity vulnerability in features command

Severity Score

7.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28

Un usuario autenticado sin ninguna autorización específica puede ser capaz de invocar repetidamente el comando features donde a un alto volumen puede conllevar a un agotamiento de recursos o generar una alta contención de bloqueos. Esto puede resultar en una denegación de servicio y, en casos raros, podría resultar en colisiones del campo id

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-05 CVE Reserved
2022-02-04 CVE Published
2023-08-28 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://jira.mongodb.org/browse/SERVER-59294	2024-01-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mongodb Search vendor "Mongodb"		Mongodb Search vendor "Mongodb" for product "Mongodb"				>= 2.0.0 < 4.2.18 Search vendor "Mongodb" for product "Mongodb" and version " >= 2.0.0 < 4.2.18"		-		Affected
Mongodb Search vendor "Mongodb"		Mongodb Search vendor "Mongodb" for product "Mongodb"				>= 4.4.0 < 4.4.10 Search vendor "Mongodb" for product "Mongodb" and version " >= 4.4.0 < 4.4.10"		-		Affected
Mongodb Search vendor "Mongodb"		Mongodb Search vendor "Mongodb" for product "Mongodb"				>= 5.0.0 < 5.0.4 Search vendor "Mongodb" for product "Mongodb" and version " >= 5.0.0 < 5.0.4"		-		Affected