MongoDB has released patches for a high-severity vulnerability affecting multiple versions of its server and driver products that could allow a malicious local user to escalate their privileges, potentially taking complete control.
The flaw, tracked as CVE-2024-7553 with a CVSS score of 7.3, stems from how MongoDB handles files loaded from untrusted local directories. This improper validation could allow an attacker to trick the database software into executing arbitrary code contained within these files. The potential impact is severe, as a successful exploit could give the attacker the same permissions as the system administrator.
The affected products are as follows
- MongoDB Server versions prior to:
- v5.0.27
- v6.0.16
- v7.0.12
- v7.3.3
- MongoDB C Driver versions prior to 1.26.2
- MongoDB PHP Driver versions prior to 1.18.1
The patched versions include:
MongoDB Server:
- v5.0.27 and later
- v6.0.16 and later
- v7.0.12 and later
- v7.3.3 and later
- MongoDB C Driver: v1.26.2 and later
- MongoDB PHP Driver: v1.18.1 and later
MongoDB urges all users running the affected products on Windows environments to update to the latest patched versions immediately.
