CVE-2021-32037 MEDIUM

CVE-2021-32037: User may trigger invariant when allowed to send commands directly to shards

Vendor Mongodb Inc.
Product MongoDB Server
Weakness CWE-617
Published November 24, 2021
Last update September 16, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.2.

Key dates

02Disclosure timeline

November 24, 2021 CVE published
September 16, 2024 Record updated