MongoDB Patches High-Severity Windows Vulnerability (CVE-2024-7553) in Multiple Products
MongoDB, the popular NoSQL database provider, announced the patching of a high-severity vulnerability affecting multiple versions of its server and driver products. The flaw, tracked as CVE-2024-7553 (CVSS 7.3), could allow a malicious local user to escalate their privileges to the highest level on a Windows system, potentially taking complete control.
The Technical Details
The vulnerability stems from how MongoDB handles files loaded from untrusted local directories. On Windows systems, this improper validation could allow an attacker to trick the database software into executing arbitrary code contained within these files. The potential impact is severe, as a successful exploit could give the attacker the same permissions as the system administrator.
Products Affected
The following MongoDB products are vulnerable:
- MongoDB Server versions prior to:
- v5.0.27
- v6.0.16
- v7.0.12
- v7.3.3
- MongoDB C Driver versions prior to 1.26.2
- MongoDB PHP Driver versions prior to 1.18.1
Urgent Action Recommended
MongoDB urges all users running the affected products on Windows environments to update to the latest patched versions immediately. The patched versions include:
- MongoDB Server:
- v5.0.27 and later
- v6.0.16 and later
- v7.0.12 and later
- v7.3.3 and later
- MongoDB C Driver: v1.26.2 and later
- MongoDB PHP Driver: v1.18.1 and later
Administrators should prioritize updating systems that have direct exposure to untrusted users, as these are at the highest risk of exploitation.
In addition to patching, we recommend reviewing access controls on your database systems. Ensure that only authorized users have access, and follow the principle of least privilege, granting users only the permissions they absolutely need.
