SB2025062432 - Externally Controlled Reference to a Resource in Another Sphere in MongoDB

Description

This security bulletin contains information about 1 vulnerability.

1) Externally Controlled Reference to a Resource in Another Sphere (CVE-ID: CVE-2024-8207)

CWE-ID: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists in certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems. A local privileged user with host-level access to cause the MongoDB Server binary can load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process

Remediation

Install update from vendor's website.

References

• https://jira.mongodb.org/browse/SERVER-69507
• https://security.netapp.com/advisory/ntap-20250516-0009/