QwikSec

Security Database

CVE

CWE

Training

CVE-2021-32040

Published: Apr 12, 2022

Modified: Sep 16, 2024

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16. Workaround: >= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash.

Vendor	Product	Versions
MongoDB Inc.	MongoDB Server	affected `5.0 - < 5.0.4` affected `4.4 - <= 4.4.28` affected `4.2 - < 4.2.16`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://jira.mongodb.org/browse/SERVER-58203

x_refsource_MISC

https://jira.mongodb.org/browse/SERVER-59299

x_refsource_MISC

https://jira.mongodb.org/browse/SERVER-60218

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20220609-0005/

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.