CVE-2024-6375

Summary

A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.

Affected Software

VendorProductVersion RangeStatus
MongoDB IncMongoDB Server5.0 < 5.0.22affected
MongoDB IncMongoDB Server6.0 < 6.0.11affected
MongoDB IncMongoDB Server7.0 < 7.0.3affected

Weaknesses

  • CWE-285: CWE-285: Improper Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References