CVE-2024-10921

EPSS 0.29%
Published 14.11.2024 16:15:18
Last modified 01.10.2025 18:40:03
Source cna@mongodb.com
Teams watchlist Login
Open Login

An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Mongodb ≫ Mongodb Version >= 5.0.0 < 5.0.30

Mongodb ≫ Mongodb Version >= 6.0.0 < 6.0.19

Mongodb ≫ Mongodb Version >= 7.0.0 < 7.0.15

Mongodb ≫ Mongodb Version >= 8.0.0 < 8.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.29%	0.521

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
cna@mongodb.com	6.8	1.6	5.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE-158 Improper Neutralization of Null Byte or NUL Character

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

https://jira.mongodb.org/browse/SERVER-96419

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-10921

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-10921

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-10921

EUVD