CVE-2021-20333

Published: Jul 23, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10.

Affected (3)

Products: Mongodb: Mongodb

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mongodb Mongodb	From 3.6.0 to 3.6.20
Mongodb Mongodb	From 4.0.0 to 4.0.21
Mongodb Mongodb	From 4.2.0 to 4.2.10

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Improper Output Neutralization for Logs

The product does not neutralize or incorrectly neutralizes output that is written to logs.

References (2)

https://jira.mongodb.org/browse/SERVER-50605

Source: cna@mongodb.com

ExploitPatchVendor Advisory

https://jira.mongodb.org/browse/SERVER-50605

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchVendor Advisory

Timeline

No history available yet.