First published: Wed Dec 15 2021(Updated: )
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to 4.2.14; MongoDB Server v4.4 versions prior to 4.4.6.
Credit: cna@mongodb.com cna@mongodb.com
Affected Software | Affected Version | How to fix |
---|---|---|
MongoDB MongoDB | >=4.0.0<4.0.25 | |
MongoDB MongoDB | >=4.2.0<4.2.14 | |
MongoDB MongoDB | >=4.4.0<4.4.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-20330 is a vulnerability that allows an attacker with basic CRUD permissions on a replicated collection to run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries.
CVE-2021-20330 affects MongoDB Server v4.0 versions prior to 4.0.25, MongoDB Server v4.2 versions prior to 4.2.14, and MongoDB Server v4.4 versions prior to 4.4.6.
CVE-2021-20330 has a severity rating of medium with a score of 6.5.
To fix CVE-2021-20330, it is recommended to upgrade to MongoDB Server version 4.0.25 (or later) for v4.0, 4.2.14 (or later) for v4.2, or 4.4.6 (or later) for v4.4.
You can find more information about CVE-2021-20330 on the MongoDB Jira page: https://jira.mongodb.org/browse/SERVER-36263.