CVE-2021-32036
Publication date 4 February 2022
Last updated 18 February 2026
Ubuntu priority
Description
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mongodb | 20.04 LTS focal |
Vulnerable, fix deferred
|
| 18.04 LTS bionic |
Vulnerable, fix deferred
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| 14.04 LTS trusty |
Vulnerable, fix deferred
|
Notes
sbeattie
the `oidReset` command implementation has existed in a couple of different locations in mongodb history, in src/mongo/db/commands/generic.cpp during 3.6.x and src/mongo/db/dbcommands_generic.cpp in 2.x timeframe. All of those implementations of `oidReset` lack an authorization requirement. all of the upstream commits for this issue are on branches licensed under mongodb's SSPL, which makes backporting them to GNU Affero licensed versions problematic.
john-breton
Patches were released after the switch to SSPL upstream, as such we cannot use them to patch Ubuntu releases. The hope is a license-compliant third-party will make patches available in the future.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.4 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |