CVE-2024-8013
Last modified
CVE-2024-8013 is a low-severity vulnerability rated 3.3/10 on the CVSS scale. A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. EPSS estimates a 0.12% chance of exploitation in the next 30 days.
Description
A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions.
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mongodb | Mongo Crypt V1.So | >= 6.0.0, < 6.0.17 |
| Mongodb | Mongo Crypt V1.So | >= 7.0.0, < 7.0.12 |
| Mongodb | Mongo Crypt V1.So | >= 7.3.0, < 7.3.4 |
| Mongodb | Mongocryptd | >= 5.0.0, < 5.0.29 |
| Mongodb | Mongocryptd | >= 6.0.0, < 6.0.17 |
| Mongodb | Mongocryptd | >= 7.0.0, < 7.0.12 |
| Mongodb | Mongocryptd | >= 7.3.0, < 7.3.4 |
References
- https://jira.mongodb.org/browse/SERVER-96254Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-8013?
How severe is CVE-2024-8013?
How do I fix CVE-2024-8013?
Are you affected by CVE-2024-8013?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST