First published: Tue Apr 12 2022(Updated: )
It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16. Workaround: >= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash.
Credit: cna@mongodb.com cna@mongodb.com
Affected Software | Affected Version | How to fix |
---|---|---|
MongoDB MongoDB | >=4.2.0<4.2.16 | |
MongoDB MongoDB | >=4.4.0<4.4.11 | |
MongoDB MongoDB | >=5.0.0<5.0.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-32040 is a vulnerability in MongoDB that allows an attacker to cause a stack overflow and crash the database server in a denial-of-service (DoS) attack.
CVE-2021-32040 has a severity score of 7.5, which is considered high.
Versions 4.2.0 to 4.2.16, 4.4.0 to 4.4.11, and 5.0.0 to 5.0.4 of MongoDB are affected by CVE-2021-32040.
An attacker can exploit CVE-2021-32040 by constructing an extremely long aggregation pipeline in MongoDB with a specific stage/operator, causing a stack overflow and crashing the database server.
Yes, MongoDB has released patches to fix CVE-2021-32040. Users are advised to upgrade to the latest patched version of MongoDB to mitigate the vulnerability.