CVE-2024-8013 LOW

CVE-2024-8013: CSFLE and Queryable Encryption self-lookup may fail to encrypt values in subpipelines

Vendor Mongodb Inc
Product mongocryptd
Weakness CWE-319 · Cleartext transmission
Published October 28, 2024
Last update October 28, 2024

CVSS base score

2.2/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions.

Key dates

02Disclosure timeline

October 28, 2024 CVE published
October 28, 2024 Record updated