MongoDB Server LPE: Untrusted File Validation on Windows (before 7.3.3)
CVE-2024-7553 Published on August 7, 2024
Accessing Untrusted Directory May Allow Local Privilege Escalation
Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1.
Required Configuration:
Only environments with Windows as the underlying operating system is affected by this issue
Vulnerability Analysis
CVE-2024-7553 can be exploited with local system access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2024-7553 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2024-7553
Want to know whenever a new CVE is published for MongoDB? stack.watch will email you.
Affected Versions
MongoDB Inc MongoDB Server:- Version 5.0 and below 5.0.27 is affected.
- Version 6.0 and below 6.0.16 is affected.
- Version 7.0 and below 7.0.12 is affected.
- Version 7.3 and below 7.3.3 is affected.
- Before 1.26.2 is affected.
- Before 1.18.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.