CVE-2021-32036 MEDIUM

CVE-2021-32036: Denial of Service and Data Integrity vulnerability in features command

Vendor Mongodb Inc.
Product MongoDB Server
Weakness CWE-770 · Uncontrolled resource consumption
Published February 4, 2022
Last update November 19, 2024

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28

Key dates

02Disclosure timeline

February 4, 2022 CVE published
November 19, 2024 Record updated