Headline
CVE-2021-32036: [SERVER-59294] Check action type for oidReset
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions.
Title
Denial of Service and Data Integrity vulnerability in features command
CVE ID
CVE-2021-32036
Description
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions.
CVSS score
This issue’s CVSS:3.1 severity is scored at 5.4 using the following scoring metrics:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Affected versions
MongoDB Server v5.0.0-v5.0.3, v4.4.0-v4.4.9, v4.2.0-v4.2.16, and all prior versions going back to v2.0.0
CWE
CWE-770: Allocation of Resources Without Limits or Throttling
Underlying operating systems affected
ALL
How the issue was reported:
Internally
External Reference link (server ticket)
SERVER-59294