PT-2024-38752 · Mongodb+2 · Mongo Crypt V1.So+3
Karman Liu
·
Published
2024-10-28
·
Updated
2025-03-26
·
CVE-2024-8013
CVSS v3.1
3.3
Low
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
mongocryptd versions prior to 5.0.29
mongocryptd versions prior to 6.0.17
mongocryptd versions prior to 7.0.12
mongocryptd versions prior to 7.3.4
mongo crypt v1.so shared libraries versions prior to 6.0.17
mongo crypt v1.so shared libraries versions prior to 7.0.12
mongo crypt v1.so shared libraries versions prior to 7.3.4
Description:
A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written.
Recommendations:
For mongocryptd versions prior to 5.0.29, update to version 5.0.29 or later.
For mongocryptd versions prior to 6.0.17, update to version 6.0.17 or later.
For mongocryptd versions prior to 7.0.12, update to version 7.0.12 or later.
For mongocryptd versions prior to 7.3.4, update to version 7.3.4 or later.
For mongo crypt v1.so shared libraries versions prior to 6.0.17, update to version 6.0.17 or later.
For mongo crypt v1.so shared libraries versions prior to 7.0.12, update to version 7.0.12 or later.
For mongo crypt v1.so shared libraries versions prior to 7.3.4, update to version 7.3.4 or later.
Fix
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Red Os
Mongo Crypt V1.So
Mongocryptd