CVE-2021-20330 MEDIUM

CVE-2021-20330: Specific replication command with malformed oplog entries can crash secondaries

Vendor Mongodb Inc.
Product MongoDB Server
Weakness CWE-20 · Input validation
Published December 15, 2021
Last update September 16, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.

Key dates

02Disclosure timeline

December 15, 2021 CVE published
September 16, 2024 Record updated