CVE-2021-32036

MEDIUM severity · CVSS 5.4 · Resource exhaustion

5.4CVSS MEDIUM

Summary

An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionNone

Confidentiality impactNone

Integrity impactLow

Availability impactLow

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Affected products we track (1)

MongoDB

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://jira.mongodb.org/browse/SERVER-59294Advisory
https://jira.mongodb.org/browse/SERVER-59294Advisory