MongoDB, a leading NoSQL database provider, has released patches for a high-severity vulnerability, CVE-2024-7553, affecting several versions of its server and driver products. This flaw, with a CVSS score of 7.3, could allow a malicious local user to escalate privileges to the highest level on a Windows system, potentially giving them complete control over the affected system.
CVE-2024-7553: High-Severity Privilege Escalation Vulnerability
Description:
- The vulnerability originates from improper validation of files loaded from untrusted local directories by MongoDB on Windows systems. This could allow an attacker to execute arbitrary code with the same privileges as a system administrator, leading to a complete system compromise.
Affected Products:
- MongoDB Server versions prior to:
- v5.0.27
- v6.0.16
- v7.0.12
- v7.3.3
- MongoDB C Driver versions prior to 1.26.2
- MongoDB PHP Driver versions prior to 1.18.1
Technical Details:
- The vulnerability is caused by how MongoDB handles files from untrusted directories. On Windows, this flaw can be exploited by a local attacker to execute arbitrary code, leading to privilege escalation.
Mitigation and Recommendations
Patched Versions:
- MongoDB Server:
- v5.0.27 and later
- v6.0.16 and later
- v7.0.12 and later
- v7.3.3 and later
- MongoDB C Driver: v1.26.2 and later
- MongoDB PHP Driver: v1.18.1 and later
Immediate Action Required:
- Update MongoDB installations to the latest patched versions, particularly for systems running on Windows, as these are most at risk.
- Review and enforce access controls, ensuring that only authorized users have access to the database systems, following the principle of least privilege.
Conclusion
The patching of CVE-2024-7553 is critical for securing MongoDB installations, especially those on Windows platforms. Administrators are strongly advised to apply the updates immediately to mitigate the risk of exploitation.
