CVE-2021-32040 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-32040 PUBLISHED

It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16. Workaround: >= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash.

EPSS 1.53% · 81.2th percentile

Risk Scores

EPSS Score

1.53%

81.2th percentile

Affected Products

Vendor	Product	Versions
Bitnami	mongodb	4.4.0, 5.0.0, 4.2.0
Bitnami	mongodb	4.2.0, 4.4.0, 5.0.0

Timeline

Apr 12, 2022 CVE Published
Apr 13, 2022 EPSS Score
Jun 2, 2022 EPSS Score
Jul 22, 2022 EPSS Score
Sep 10, 2022 EPSS Score
Oct 30, 2022 EPSS Score
Feb 6, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score
Mar 30, 2023 PoC Published
May 16, 2023 EPSS Score
Jul 5, 2023 EPSS Score

References

Open in Interactive Console →