// For flags

CVE-2021-32036

Denial of Service and Data Integrity vulnerability in features command

Severity Score

7.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28

Un usuario autenticado sin ninguna autorización específica puede ser capaz de invocar repetidamente el comando features donde a un alto volumen puede conllevar a un agotamiento de recursos o generar una alta contención de bloqueos. Esto puede resultar en una denegación de servicio y, en casos raros, podría resultar en colisiones del campo id

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2021-05-05 CVE Reserved
  • 2022-02-04 CVE Published
  • 2023-08-28 EPSS Updated
  • 2024-11-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mongodb
Search vendor "Mongodb"
Mongodb
Search vendor "Mongodb" for product "Mongodb"
>= 2.0.0 < 4.2.18
Search vendor "Mongodb" for product "Mongodb" and version " >= 2.0.0 < 4.2.18"
-
Affected
Mongodb
Search vendor "Mongodb"
Mongodb
Search vendor "Mongodb" for product "Mongodb"
>= 4.4.0 < 4.4.10
Search vendor "Mongodb" for product "Mongodb" and version " >= 4.4.0 < 4.4.10"
-
Affected
Mongodb
Search vendor "Mongodb"
Mongodb
Search vendor "Mongodb" for product "Mongodb"
>= 5.0.0 < 5.0.4
Search vendor "Mongodb" for product "Mongodb" and version " >= 5.0.0 < 5.0.4"
-
Affected