MongoDB Profile Command Authorization Vulnerability Allowing Unauthorized Filter Modifications

A vulnerability exists in MongoDB's profile command authorization validation, specifically in versions 8.2.4, 8.0.18, and 7.0.29. The issue arises because the validation process incorrectly assesses requests that modify the 'filter' parameter as read-only. This flaw allows users to alter 'filter' values without the necessary permissions, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability could result in unauthorized modifications to profile command filters, allowing users to access or manipulate data they should not be able to.

Reproduction

To reproduce this vulnerability, send a profile command without specifying values for 'slowms', 'sampleRate', or 'filter'. The command will be processed as a read-only request, bypassing authorization checks for 'filter' modifications. This can be done using a MongoDB client or through a script that interacts with the MongoDB server.

Remediation

Users can upgrade to MongoDB versions 8.3.0-rc0, 8.2.4, 8.0.18, or 7.0.29 to address this vulnerability.