CVE-2021-20333 : Sending specially crafted commands to a MongoDB Server may result in artificial

Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10.

Published 2021-07-23 12:15:08

Updated 2024-09-17 03:15:35

Source MongoDB, Inc.

View at NVD, CVE.org

Products affected by CVE-2021-20333

Mongodb » Mongodb
Versions from including (>=) 4.2.0 and before (<) 4.2.10
cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*
Matching versions
Mongodb » Mongodb
Versions from including (>=) 3.6.0 and before (<) 3.6.20
cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*
Matching versions
Mongodb » Mongodb
Versions from including (>=) 4.0.0 and before (<) 4.0.21
cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2021-20333

Top countries where our scanners detected CVE-2021-20333

Top open port discovered on systems with this issue 27017

IPs affected by CVE-2021-20333 8,305

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2021-20333!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2021-20333

EPSS FAQ

0.44%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 60 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-20333

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	MongoDB, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2021-20333

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Assigned by: nvd@nist.gov (Primary)
CWE-117 Improper Output Neutralization for Logs

The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

Assigned by: cna@mongodb.com (Secondary)

References for CVE-2021-20333

https://jira.mongodb.org/browse/SERVER-50605

[SERVER-50605] Add {logMessage: "msg"} test-only command - MongoDB Jira
Exploit;Patch;Vendor Advisory