CVE-2024-7553: Accessing Untrusted Directory May Allow Local Privilege Escalation
First published: Wed Aug 07 2024(Updated: )
Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1. Required Configuration: Only environments with Windows as the underlying operating system is affected by this issue
Credit: cna@mongodb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| MongoDB | >=5.0.0<5.0.27 | |
| Any of | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows Server 2016 | ||
| Microsoft Windows Server 2019 | ||
| All of | ||
| MongoDB | >=6.0.0<6.0.16 | |
| Any of | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows Server 2016 | ||
| Microsoft Windows Server 2019 | ||
| All of | ||
| Any of | ||
| MongoDB | >=7.0.0<7.0.12 | |
| MongoDB | >=7.3.0<7.3.3 | |
| Any of | ||
| Windows 11 | ||
| Windows 11 | ||
| Windows 11 | ||
| Windows 11 | ||
| Microsoft Windows Server 2019 | ||
| Microsoft Windows Server 2022 | ||
| All of | ||
| MongoDB C Driver | <1.26.2 | |
| Any of | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Windows 11 | ||
| Windows 11 | ||
| Windows 11 | ||
| Windows 11 | ||
| Microsoft Windows Server 2016 | ||
| Microsoft Windows Server 2019 | ||
| Microsoft Windows Server 2022 | ||
| All of | ||
| MongoDB PHP Driver | <1.18.1 | |
| Any of | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | ||
| Windows 11 | ||
| Windows 11 | ||
| Windows 11 | ||
| Windows 11 | ||
| Microsoft Windows Server 2016 | ||
| Microsoft Windows Server 2019 | ||
| Microsoft Windows Server 2022 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-7553?
CVE-2024-7553 has a high severity rating due to its potential for local privilege escalation.
How do I fix CVE-2024-7553?
To mitigate CVE-2024-7553, ensure that your MongoDB version is updated to the latest release beyond the affected versions 5.0.27 and 6.0.16.
Which versions of MongoDB are affected by CVE-2024-7553?
CVE-2024-7553 affects MongoDB versions ranging from 5.0.0 to 5.0.27 and from 6.0.0 to 6.0.16, as well as some other specific versions.
Can CVE-2024-7553 be exploited on Windows operating systems?
Yes, CVE-2024-7553 can be exploited on Windows operating systems due to incorrect validation of files from untrusted directories.
Are there any solutions for applications using MongoDB affected by CVE-2024-7553?
Applications using affected versions of MongoDB should upgrade to secure versions and review their file validation mechanisms.
- agent/weakness
- agent/author
- agent/references
- agent/type
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/first-publish-date
- agent/last-modified-date
- agent/severity
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/mongodb
- canonical/mongodb
- version/mongodb/5.0.0
- vendor/microsoft
- canonical/microsoft windows 10
- canonical/microsoft windows server 2016
- canonical/microsoft windows server 2019
- version/mongodb/6.0.0
- version/mongodb/7.0.0
- version/mongodb/7.3.0
- canonical/windows 11
- canonical/microsoft windows server 2022
- canonical/mongodb c driver
- canonical/mongodb php driver