MongoDB Server up to 5.0.29/6.0.18/7.0.14/8.0.3 BSON Requests null byte or nul character

Summaryinfo

A vulnerability marked as critical has been reported in MongoDB Server up to 5.0.29/6.0.18/7.0.14/8.0.3. Impacted is an unknown function of the component BSON Requests Handler. This manipulation causes improper neutralization of null byte or nul character. This vulnerability is registered as CVE-2024-10921. Remote exploitation of the attack is possible. No exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability has been found in MongoDB Server up to 5.0.29/6.0.18/7.0.14/8.0.3 and classified as critical. Affected by this vulnerability is an unknown code of the component BSON Requests Handler. The manipulation with an unknown input leads to a improper neutralization of null byte or nul character vulnerability. The CWE definition for the vulnerability is CWE-158. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. As an impact it is known to affect confidentiality, and availability. The summary by CVE is:

An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.

It is possible to read the advisory at jira.mongodb.org. This vulnerability is known as CVE-2024-10921 since 11/06/2024. The exploitation appears to be difficult. The attack can be launched remotely. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 5.0.30, 6.0.19 or 7.0.15 eliminates this vulnerability.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Database Software

Vendor

• MongoDB

Name

• Server

Version

• 5.0.0
• 5.0.1
• 5.0.2
• 5.0.3
• 5.0.4
• 5.0.5
• 5.0.6
• 5.0.7
• 5.0.8
• 5.0.9
• 5.0.10
• 5.0.11
• 5.0.12
• 5.0.13
• 5.0.14
• 5.0.15
• 5.0.16
• 5.0.17
• 5.0.18
• 5.0.19
• 5.0.20
• 5.0.21
• 5.0.22
• 5.0.23
• 5.0.24
• 5.0.25
• 5.0.26
• 5.0.27
• 5.0.28
• 5.0.29
• 6.0.0
• 6.0.1
• 6.0.2
• 6.0.3
• 6.0.4
• 6.0.5
• 6.0.6
• 6.0.7
• 6.0.8
• 6.0.9
• 6.0.10
• 6.0.11
• 6.0.12
• 6.0.13
• 6.0.14
• 6.0.15
• 6.0.16
• 6.0.17
• 6.0.18
• 7.0.0
• 7.0.1
• 7.0.2
• 7.0.3
• 7.0.4
• 7.0.5
• 7.0.6
• 7.0.7
• 7.0.8
• 7.0.9
• 7.0.10
• 7.0.11
• 7.0.12
• 7.0.13
• 7.0.14
• 8.0.0
• 8.0.1
• 8.0.2
• 8.0.3

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion