CVE-2024-6375

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-6375

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-6375.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-6375

Aliases

BIT-mongodb-2024-6375

Related

UBUNTU-CVE-2024-6375

Published

2024-07-01T15:15:17Z

Modified

2025-01-08T09:58:34.261934Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVSS Calculator

Summary

[none]

Details

A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.

References

https://jira.mongodb.org/browse/SERVER-79327

Affected packages

Git / github.com/mongodb/mongo

Affected ranges

Type: GIT
Repo: https://github.com/mongodb/mongo
Events: Introduced

37d84072b5c5b9fd723db5fa133fb202ad2317f1

Fixed

b96efb7e0cf6134d5938de8a94c37cec3f22cff4

Affected versions

r7.*

r7.0.0

r7.0.1

r7.0.1-rc0

r7.0.2

r7.0.2-rc0

r7.0.2-rc1

r7.0.2-rc2

r7.0.3-rc0