An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20330.json"
[
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/89306fde6167fa12ea6e30d61e05791e8e214e55",
"digest": {
"function_hash": "110899593491185897421769498838013973718",
"length": 1407.0
},
"id": "CVE-2021-20330-13f9d3bb",
"deprecated": false,
"target": {
"file": "src/mongo/db/s/migration_destination_manager.cpp",
"function": "MigrationDestinationManager::report"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/0e6db36e92d82cc81cbd40ffd607eae88dc1f09d",
"digest": {
"function_hash": "265048229442723261545469003818871560045",
"length": 1364.0
},
"id": "CVE-2021-20330-2969ad11",
"deprecated": false,
"target": {
"file": "src/third_party/wiredtiger/src/btree/bt_random.c",
"function": "__random_leaf"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/89306fde6167fa12ea6e30d61e05791e8e214e55",
"digest": {
"line_hashes": [
"335931795400688812254294467053957487616",
"279853500410000154530933968651110334054",
"203592698062408137281156458254434292024",
"180099898179883539579227689973886057333"
],
"threshold": 0.9
},
"id": "CVE-2021-20330-38c5d40e",
"deprecated": false,
"target": {
"file": "src/mongo/db/s/migration_chunk_cloner_source_legacy.h"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/72e66213c2c3eab37d9358d5e78ad7f5c1d0d0d7",
"digest": {
"line_hashes": [
"304309854938771315528878311386512649977",
"159990187239721299865695754621037385159",
"29591183454698994496055869347905944638",
"39460162790989197924778971857662566095"
],
"threshold": 0.9
},
"id": "CVE-2021-20330-4366e8fb",
"deprecated": false,
"target": {
"file": "src/third_party/wiredtiger/src/include/stat.h"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/89306fde6167fa12ea6e30d61e05791e8e214e55",
"digest": {
"line_hashes": [
"920370436543645657280852106272270552",
"192379727769643137858145855933813803106",
"224169942226726934869258298043919757057",
"116990790695668131855121145882217343321",
"120930342436774343220229399210098764860",
"62981803095190617687736658637869200002",
"249541202444984784260304567950056813152",
"258436675845632025607603102449895272291",
"152534867354771833869435817268870661613",
"167981006052710287295615119131574394149",
"8576830679016348070670717513462830393",
"123601252332544849271943309752455347105",
"63184896946003030372071663647517891913",
"62385289445508777062457882922831071817",
"293004031884692435360665412015268920352",
"271745089266943316012270656700975372476",
"264226832801940819222926580403844884455",
"309831267507156951591551805614071879682",
"53326193067519384232166676954011965761",
"36457239980659440159970862019709266650",
"128791749164301754674713001963078925401",
"138354988594683096446266345539761981932",
"178778857095588088658344713690317925334",
"11308903635517473041072589362130541462",
"290244132677205446578158241627030159551",
"96396956260502611052125764102436590571",
"86521532930661451766176499522534709518",
"264081126738994882577667878245534090613",
"339605792960291239820340061417578140951",
"18541851109980676852609842550457953697",
"251599190146187686150607107106213652976",
"140228393868623776529475156757697794811",
"13136755455117748734179671977066624444",
"311302703188013159898076314546684857658",
"204198483851764000213320205215032263943",
"132618186474171534296680962436144387827",
"149447754960376852840088861926397707560",
"317571144633694617656006746507508222726",
"96567492166067109020004264640558307334",
"283800856800746690938676575526566247905",
"338765792693788673673644245808894818336",
"295565834367087399081872519528655308200",
"35426703332358389819818487579109369501",
"186603883097820956871904658962469202191",
"246029012713680024657582902179656099098",
"223472891258717470209875545154431723349",
"230936637359279413851818852210033461468",
"156404730374570483953955006372663134700",
"302509788981884962222188197367513715959",
"221278704683136829093807410817054890971",
"198035117246471702805901948422385171671",
"248176614725428462608743110161230504825",
"104556849665341490639857763195363542734",
"279482751054176771549979871966094138827",
"262120577359798128218683906708791878147",
"32081733076451315147033413691455081905",
"181432640982509322533722179935523202940",
"98940988846699997285599052486322043268",
"82912290501818706362743217712753983944",
"198536867243497964916864557012221347784",
"129123726328933022783024610672302795029",
"127006674449724318217198564505477193179",
"13153651495476903863611373910616968771",
"305183420924727243311081037146177039497",
"189304861896914076483554419815747410157",
"170773024630184892078472755945324059567",
"227251628460350283203840190092485351947",
"14526413784936531776656036196653582180",
"84188117341641081669458883812695879584",
"6737087402986512014032978127801241584",
"216734536565298283313071388078430808022",
"117193685688195828935132635096947087714",
"116286211601243472993801039934732209897",
"16390171248668929992321484177785724288",
"275147910843626380355301037503714778223"
],
"threshold": 0.9
},
"id": "CVE-2021-20330-4d80a17a",
"deprecated": false,
"target": {
"file": "src/mongo/db/s/migration_chunk_cloner_source_legacy.cpp"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/72e66213c2c3eab37d9358d5e78ad7f5c1d0d0d7",
"digest": {
"line_hashes": [
"9964035940448229604508452339320702565",
"279144668696263118568975409434216060369",
"310043070164020625807193334988013984986",
"339760208623162757502176976400689406525",
"131977348106043779507856790374047409138",
"123441354786866711588559357823162682538",
"293714442544027711107556079041866692227",
"162752013676965142246077934453215386394",
"324032348638057061161682509048599824567",
"121937506399780336854296230145409378941",
"199780162125559694685149883214584631060",
"227884874867504513112021077972251791106",
"261612240924734278572913093479803810961",
"286082226499307095253668538840269443688",
"129405288897876633958152416475890780864",
"269652634344155839602202508421453812362",
"16486064757653017381293239340546488484",
"207783343580222294510275601978344309069",
"93341773191185703145684049417983076585",
"264729008592644685130695628396263079118",
"162739975768512691314383375550384307005",
"322424281673992108792585657723452332895",
"6906182378645453804971404233502268014",
"148633207451182503811094733324787357385",
"336601403274512518791549863536452581218",
"270920482307626428220583658551012324065",
"28722714875892462456838514438450916088",
"70032068465384074762481428408474790785",
"130024759000511817773037193211893908009",
"248045013509410874781535455376265550265",
"184088916991963941116843189582914765237",
"107934928256828043715886343488947459634",
"252758208991215758062398429945658868547",
"157500687007592536096521522934472005413",
"47318159438344601177447854731081668772",
"144365453626600490878597711410257697932",
"156370345622140483321535368100055163048",
"338267830166853612482141678905503253153",
"225699392630679331402712447237696227772",
"22857993054124746559144187088360971536",
"152383350153367724421354455239243842496",
"13560969797558308594019548335319893444",
"77390849544881424429114670314918492550",
"117411786493703725376347828069703627709",
"110001327243180497493026351110280992447"
],
"threshold": 0.9
},
"id": "CVE-2021-20330-5d548b0b",
"deprecated": false,
"target": {
"file": "src/third_party/wiredtiger/src/txn/txn_rollback_to_stable.c"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/89306fde6167fa12ea6e30d61e05791e8e214e55",
"digest": {
"line_hashes": [
"10355685592753707776317506258864742931",
"31840163594133796851202762917322695204",
"36494154703594035481437335564876399982",
"233064378391318495619363993489873275184",
"162596702863218541381744664754223921011"
],
"threshold": 0.9
},
"id": "CVE-2021-20330-735bc836",
"deprecated": false,
"target": {
"file": "src/mongo/db/s/start_chunk_clone_request.h"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/0e6db36e92d82cc81cbd40ffd607eae88dc1f09d",
"digest": {
"line_hashes": [
"24916808240637586631367219010627857008",
"222527607790619342269055941072129855634",
"128938297141464673860484039824564077257",
"37960205996489234235288854761413664374"
],
"threshold": 0.9
},
"id": "CVE-2021-20330-80eac4c4",
"deprecated": false,
"target": {
"file": "src/third_party/wiredtiger/src/btree/bt_random.c"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/89306fde6167fa12ea6e30d61e05791e8e214e55",
"digest": {
"line_hashes": [
"227835469645773730484715717087228328478",
"302700027154240247942763690723010460900",
"3538276540892374793159825671647782708",
"255719647766004387826357014733663528082",
"275474700132862516535581141309099995319",
"313048882958668576619597470214674336700",
"314652429211935826568266193925395601306",
"200138698726692736906449678005662032123",
"101565016674653282203130665186832894902",
"222980752393350033418376646034048692509",
"311619014135891976596427948348989513500",
"175435750662160295882011774509532234175",
"241758975701716818010679819237914541460",
"93272769375420795534560062089793660238",
"88812764643798305235664865116992837114",
"107935466268868840168739460290032948560",
"231326169093576463224385674887394937863",
"247238907581221923563277142862023160878",
"277427808848556889851193747937356471653",
"132482279616533885510266354405852700614",
"96214187348619473959224595951507983462",
"178688803163561671175696808609997140590",
"46036473865801531092814108243992425373",
"40962247692484887039374559224029362329",
"89782100533808589110188718984122681597",
"260445944950473772356215479450352629171",
"125000065198790923524760630385798973867",
"307471634412342122651097031586388974416",
"188743437159458223533749560095271450108",
"161141740341772537094514244867786099783",
"88635659131613250623175492891177413348",
"30375022467533747532170612250708569848"
],
"threshold": 0.9
},
"id": "CVE-2021-20330-8f4048ee",
"deprecated": false,
"target": {
"file": "src/mongo/db/s/migration_destination_manager.cpp"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/89306fde6167fa12ea6e30d61e05791e8e214e55",
"digest": {
"function_hash": "43186893515418814378800620358592116385",
"length": 3377.0
},
"id": "CVE-2021-20330-8fa14c1b",
"deprecated": false,
"target": {
"file": "src/mongo/db/s/migration_chunk_cloner_source_legacy.cpp",
"function": "MigrationChunkClonerSourceLegacy::awaitUntilCriticalSectionIsAppropriate"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/89306fde6167fa12ea6e30d61e05791e8e214e55",
"digest": {
"function_hash": "275443618750509383019463271457058054208",
"length": 1884.0
},
"id": "CVE-2021-20330-a8946eba",
"deprecated": false,
"target": {
"file": "src/mongo/db/s/migration_destination_manager.cpp",
"function": "MigrationDestinationManager::startCommit"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/89306fde6167fa12ea6e30d61e05791e8e214e55",
"digest": {
"function_hash": "56498043749970123206321099733945167144",
"length": 3547.0
},
"id": "CVE-2021-20330-b9a4e485",
"deprecated": false,
"target": {
"file": "src/mongo/db/s/migration_chunk_cloner_source_legacy.cpp",
"function": "MigrationChunkClonerSourceLegacy::_storeCurrentLocs"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/72e66213c2c3eab37d9358d5e78ad7f5c1d0d0d7",
"digest": {
"function_hash": "15418613572870018790435582152300378300",
"length": 4639.0
},
"id": "CVE-2021-20330-c552a67e",
"deprecated": false,
"target": {
"file": "src/third_party/wiredtiger/src/txn/txn_rollback_to_stable.c",
"function": "__rollback_to_stable_btree_apply"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/72e66213c2c3eab37d9358d5e78ad7f5c1d0d0d7",
"digest": {
"function_hash": "13607704347154062668439278557871305573",
"length": 38783.0
},
"id": "CVE-2021-20330-e9e38fb9",
"deprecated": false,
"target": {
"file": "src/third_party/wiredtiger/src/support/stat.c",
"function": "__wt_stat_connection_aggregate"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/72e66213c2c3eab37d9358d5e78ad7f5c1d0d0d7",
"digest": {
"line_hashes": [
"229894274245954591741085237992581520323",
"80446083945205796399763010139911861960",
"115964321012874738052620487018112905676",
"149570320899939478620995949221795860154",
"104128001505534074541414446136265317446",
"130924665936411827030191371657881992030",
"250727418467635347014615798961608716190",
"47359390615834079511824295529022593998",
"122426855261351243012610089060205003124",
"116311001105685242312734893354355099319",
"98376288197935315590819835083050652459"
],
"threshold": 0.9
},
"id": "CVE-2021-20330-eeb1f942",
"deprecated": false,
"target": {
"file": "src/third_party/wiredtiger/src/support/stat.c"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/72e66213c2c3eab37d9358d5e78ad7f5c1d0d0d7",
"digest": {
"function_hash": "6631520431783892756420725152679734606",
"length": 762.0
},
"id": "CVE-2021-20330-f22d8385",
"deprecated": false,
"target": {
"file": "src/third_party/wiredtiger/src/txn/txn_rollback_to_stable.c",
"function": "__wt_rollback_to_stable"
}
}
]