CVE-2024-7553

Published: Aug 7, 2024Modified: Sep 19, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1. Required Configuration: Only environments with Windows as the underlying operating system is affected by this issue

Affected (6)

Products: Mongodb: Mongodb, C Driver, Php Driver

3 products

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mongodb Mongodb	From 5.0.0 to 5.0.27

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Mongodb Mongodb	From 6.0.0 to 6.0.16

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Mongodb Mongodb	From 7.0.0 to 7.0.12
Mongodb Mongodb	From 7.3.0 to 7.3.3

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Mongodb C Driver	Before 1.26.2

Configuration E

1 vulnerable · 21 platform

Vulnerable Software	Affected Versions
Mongodb Php Driver	Before 1.18.1

Running on/with	Platform Versions
Microsoft Windows 10 1507	All versions
Microsoft Windows 10 1511	All versions
Microsoft Windows 10 1607	All versions
Microsoft Windows 10 1703	All versions
Microsoft Windows 10 1709	All versions
Microsoft Windows 10 1803	All versions
Microsoft Windows 10 1809	All versions
Microsoft Windows 10 1903	All versions
Microsoft Windows 10 1909	All versions
Microsoft Windows 10 2004	All versions
Microsoft Windows 10 20h2	All versions
Microsoft Windows 10 21h1	All versions
Microsoft Windows 10 21h2	All versions
Microsoft Windows 10 22h2	All versions
Microsoft Windows 11	All versions
Microsoft Windows 11 21h2	All versions
Microsoft Windows 11 22h2	All versions
Microsoft Windows 11 23h2	All versions
Microsoft Windows Server 2016	All versions
Microsoft Windows Server 2019	All versions
Microsoft Windows Server 2022	All versions

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (3)

https://jira.mongodb.org/browse/CDRIVER-5650

Source: cna@mongodb.com

Vendor Advisory

https://jira.mongodb.org/browse/PHPC-2369

Source: cna@mongodb.com

Vendor Advisory

https://jira.mongodb.org/browse/SERVER-93211

Source: cna@mongodb.com

Vendor Advisory

Timeline

No history available yet.