Bug 2026509 (CVE-2021-32037)
| Summary: | CVE-2021-32037 mongodb: Using $sample can trigger invariant when connecting directly to shards | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | athomas, bkearney, dbecker, jjoyce, jschluet, lhh, lpeer, mburns, sclewis, slinaber |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mongodb 5.0.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An assertion flaw was found in the mongodb server where an aggregation request could trigger an invariant. An authorized user could exploit this flaw by sending a relevant aggregation request to a shard, which could result in a denial of service or server exit. Requests are usually sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth-enabled environment.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2028482 | ||
| Bug Blocks: | 2026510 | ||
|
Description
Pedro Sampaio
2021-11-24 22:03:33 UTC
|