Description

A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions.

INFO

Published Date :

2024-10-28T12:58:05.317Z

Last Modified :

2024-10-28T13:39:31.561Z

Source :

mongodb
AFFECTED PRODUCTS

The following products are affected by CVE-2024-8013 vulnerability.

Vendors Products
Mongodb
  • Mongo Crypt V1.so
  • Mongocryptd
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-8013.

URL Resource
https://jira.mongodb.org/browse/SERVER-96254 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact