Invariant with $elemMatch

Vulnerability

MongoDB Server versions 4.0 prior to 4.0.5 and 3.6 prior to 3.6.10 contain a denial-of-service vulnerability in the handling of $elemMatch queries. A user with database query authorization can issue a specially crafted query that causes excessive iteration (CWE-834), leading to an invariant failure and server crash [1].

Exploitation

An attacker must have network access to the MongoDB server and valid credentials to perform database queries. By sending a crafted query that includes an $elemMatch operator with specific conditions, the server enters an infinite loop or excessive iteration, exhausting resources and causing a denial of service [1]. No additional user interaction is required.

Impact

Successful exploitation results in a denial of service, making the MongoDB server unavailable. The CVSS v3.1 score is 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity loss [1].

Mitigation

MongoDB has released fixed versions: upgrade to MongoDB 4.0.5 or later, or 3.6.10 or later. No workarounds are documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog [1].