Data Exposure in MongoDB Enterprise Server Due to Bug in Query Analysis
CVE-2024-8013
3.3LOW
Summary
A vulnerability exists within the query analysis mechanism of MongoDB Enterprise Server, specifically in complex self-referential $lookup subpipelines. This issue can lead to encrypted fields being transmitted to the server as plaintext, rather than maintaining their intended encrypted state. As a result, no documents are returned or created during these operations, potentially exposing sensitive information. The affected components include specific versions of the mongocryptd binary and the mongo_crypt_v1.so shared libraries. Corrective actions may be necessary for versions released prior to specified updates to ensure data security and integrity.
References
CVSS V3.1
Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published