CVE-2021-20326 Performing a specific type of find query in MongoDB may trigger a denial of service. 10th May 2021

Preface: The term ‘NoSQL’ means ‘non-relational’. It means that MongoDB isn’t based on the table like relational database structure.

Background: MongoDB storage format called BSON. It is similar to JSON format. Traditional database store data in tabular format. In a MongoDB database, data is stored in collections and a collection has documents. A document has fields and values, like in a JSON. The field types include scalar types (string, number, date, etc.) and composite types (arrays and objects). The query operations on array fields using the db.collection.find() method in the mongo shell. MongoDB supports query operations on geospatial data. MongoDB uses collections of documents instead of tables of rows to organize and store data. In MongoDB, you can store geospatial data as GeoJSON objects or as legacy coordinate pairs.

Vulnerability details: A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.4. For more details, please refer to diagram attached.

Remedy: Add stricter parser checks around positional projection
Branch: v4.4 – https://github.com/mongodb/mongo/commit/0c7f643a2dfe4000ac9630ed5dace0cb40ec9740

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.