Local privilege escalation in MongoDB Compass for Windows
CVE-2021-20334

4.8MEDIUM

Key Information:

Vendor: MongoDB
Status: Mongodb Compass
Vendor: CVE Published:; 6 April 2021

What is CVE-2021-20334?

A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x versions prior to 1.25.0 on Windows.

Affected Version(s)

MongoDB Compass Windows 1.3.0 < 1.x*

References

https://jira.mongodb.org/browse/COMPASS-4510

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2021
Vulnerability Reserved
Dec 17, 2020

Credit

Hou JingYi (@hjy79425575)