Data Exposure in MongoDB Enterprise Server Due to Bug in Query Analysis
CVE-2024-8013

3.3LOW

Key Information:

Vendor
Mongodb
Vendor
CVE Published:
28 October 2024

Summary

A vulnerability exists within the query analysis mechanism of MongoDB Enterprise Server, specifically in complex self-referential $lookup subpipelines. This issue can lead to encrypted fields being transmitted to the server as plaintext, rather than maintaining their intended encrypted state. As a result, no documents are returned or created during these operations, potentially exposing sensitive information. The affected components include specific versions of the mongocryptd binary and the mongo_crypt_v1.so shared libraries. Corrective actions may be necessary for versions released prior to specified updates to ensure data security and integrity.

References

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.