First published: Fri Feb 04 2022(Updated: )
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions.
Credit: cna@mongodb.com cna@mongodb.com
Affected Software | Affected Version | How to fix |
---|---|---|
MongoDB MongoDB | >=2.0.0<4.2.18 | |
MongoDB MongoDB | >=4.4.0<4.4.10 | |
MongoDB MongoDB | >=5.0.0<5.0.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-32036 is a vulnerability that allows an authenticated user without specific authorizations to repeatedly invoke the features command, leading to resource depletion or high lock contention, resulting in denial of service and potential ID field collisions.
CVE-2021-32036 affects versions 2.0.0 to 4.2.18, 4.4.0 to 4.4.10, and 5.0.0 to 5.0.4 of MongoDB.
CVE-2021-32036 has a severity rating of 7.1 (high).
An authenticated user can exploit CVE-2021-32036 by repeatedly invoking the features command at a high volume, causing resource depletion or generating high lock contention.
Yes, MongoDB has released a fix for CVE-2021-32036. It is recommended to update to a patched version of MongoDB to mitigate the vulnerability.