CVE-2024-10921

Summary

An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.

Affected Software

VendorProductVersion RangeStatus
MongoDB IncMongoDB Server5.0 < 5.0.30affected
MongoDB IncMongoDB Server6.0 < 6.0.19affected
MongoDB IncMongoDB Server7.0 < 7.0.15affected
MongoDB IncMongoDB Server8.0 < 8.0.3affected

Weaknesses

  • CWE-158: CWE-158: Improper Neutralization of Null Byte or NUL Character

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References