{"id":"CVE-2024-6384","details":"\"Hot\" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3","aliases":["BIT-mongodb-2024-6384"],"modified":"2026-04-12T17:29:15.371951Z","published":"2024-08-13T15:15:18.567Z","references":[{"type":"ADVISORY","url":"https://jira.mongodb.org/browse/SERVER-93516"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241115-0001/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"e61bf27c2f6a83fed36e5a13c008a32d563babe2"},{"fixed":"fc9c412204fdb4876f706cb62a45c1e98b5543fb"},{"introduced":"37d84072b5c5b9fd723db5fa133fb202ad2317f1"},{"fixed":"c34265d4f27ce8ab20382adce5c52d75eb9d7dc7"},{"introduced":"b4d4f7026332c345edc52f9687e509f74e95a0fb"},{"fixed":"23576ef75f59692926df6e8829a0f3addb384885"}],"database_specific":{"versions":[{"introduced":"6.0.0"},{"fixed":"6.0.16"},{"introduced":"7.0.0"},{"fixed":"7.0.11"},{"introduced":"7.3.0"},{"fixed":"7.3.3"}]}}],"versions":["r6.0.0","r6.0.1","r6.0.1-rc0","r6.0.10","r6.0.10-rc0","r6.0.11","r6.0.11-rc0","r6.0.12","r6.0.12-rc0","r6.0.12-rc1","r6.0.13","r6.0.13-rc0","r6.0.14","r6.0.14-rc0","r6.0.14-rc1","r6.0.15","r6.0.15-rc0","r6.0.2","r6.0.2-rc0","r6.0.2-rc1","r6.0.3","r6.0.3-rc0","r6.0.3-rc1","r6.0.3-rc2","r6.0.4","r6.0.4-rc0","r6.0.4-rc1","r6.0.5","r6.0.5-rc0","r6.0.5-rc1","r6.0.6","r6.0.6-rc0","r6.0.6-rc1","r6.0.7","r6.0.7-rc0","r6.0.8","r6.0.8-rc0","r6.0.9","r6.0.9-rc0","r6.0.9-rc1","r7.0.0","r7.0.1","r7.0.1-rc0","r7.0.10","r7.0.10-rc0","r7.0.11-rc0","r7.0.11-rc1","r7.0.2","r7.0.2-rc0","r7.0.2-rc1","r7.0.2-rc2","r7.0.3","r7.0.3-rc0","r7.0.3-rc1","r7.0.4","r7.0.4-rc0","r7.0.5","r7.0.5-rc0","r7.0.6","r7.0.6-rc0","r7.0.7","r7.0.7-rc0","r7.0.7-rc1","r7.0.7-rc2","r7.0.8","r7.0.8-rc0","r7.0.9","r7.0.9-rc0","r7.0.9-rc1","r7.3.0","r7.3.1","r7.3.1-rc0","r7.3.1-rc1","r7.3.1-rc2","r7.3.2","r7.3.2-rc0","r7.3.2-rc1"],"database_specific":{"vanir_signatures_modified":"2026-04-12T17:29:15Z","vanir_signatures":[{"deprecated":false,"signature_version":"v1","id":"CVE-2024-6384-02994c0e","target":{"file":"src/mongo/db/catalog/validate_adaptor.cpp"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["329913852977053609459348688876833772491","27916421123273442154788625867936558300","254702237974878015461965003870539828486","69421658026751040608409740480749280563","59917524354465280083159754591568849064","118018153581426355201273610055412648538","202532364772967976656763415643466941211","47734924488772846956200476706272185238","161212334903003241711487295786793226842","244456038624490861842252424110816638544","322863289751779914270480716810515554130","210052204172846521702750367235445809096","134110601181299761084451138273808492779","20805998714756534432480840491877179793","198655128569990713992246152435318790910","68737470364433947102250526007507987068","193141080203447453096678275169688079311","274647368727423873631935008094415250900","6268980372646714086915409820431349257","84984221224533540388982641104063897055","55005143038296249055982544406153960039","197818085694772290256155776757570881861","325037879151098428754255884609382879360","221619187051515016168802315609371653260","120466451140107615920068057742060470260","180553256761516972613130832338620776690","242805896369546415456463004820945610401","25479116213114791816244574489579503173","301856799049377450880407501137723803495","293097896970528646890797003707406205470","89033067201110874503040566667736809461","80679747684782025787908739992128731839","300319027487364620971993600040520359164","134632868906332286542540803647382438968","255774180792678301400293503718771711460","40787414203996703021934373762299843031","332243771555207044190096874014908344315","236909820442148586509339669249705154549","154384632052279004074215527500682061602","233611330147428695231606866826892012747","247411118473579998750781502684875537232","106483436017133997274245817681143584591","182970895451744785784745563594047291081","147768537146537731830905577488937472841","297181038508343489747653048707178530232","31960323565502150100950393037137472491","141035720272936282041387270664732570818","72377435735075893685270530673520870212","336060587749944256689127264340034840781"]},"source":"https://github.com/mongodb/mongo/commit/fc9c412204fdb4876f706cb62a45c1e98b5543fb"},{"deprecated":false,"signature_version":"v1","id":"CVE-2024-6384-0e081e84","target":{"file":"src/mongo/dbtests/validate_tests.cpp"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["1770885869270750480141319907863994746","19520909800484761539646821662919742939","216726665403661884986091132459081168134","304935351436049255276440523825985770317","153380889861364499314029019562908192937","164186630264173411481843701519291681473","284208359225685349437689824140631392636"]},"source":"https://github.com/mongodb/mongo/commit/fc9c412204fdb4876f706cb62a45c1e98b5543fb"},{"deprecated":false,"signature_version":"v1","id":"CVE-2024-6384-61a1ae8a","target":{"file":"src/mongo/db/catalog/validate_adaptor.cpp","function":"ValidateAdaptor::traverseIndex"},"signature_type":"Function","digest":{"function_hash":"102081938924117680613651894140190709282","length":5100},"source":"https://github.com/mongodb/mongo/commit/fc9c412204fdb4876f706cb62a45c1e98b5543fb"},{"deprecated":false,"signature_version":"v1","id":"CVE-2024-6384-9b563fd2","target":{"file":"src/mongo/db/catalog/validate_adaptor.cpp","function":"_validateKeyOrder"},"signature_type":"Function","digest":{"function_hash":"274673260755196232339555212731228073531","length":1161},"source":"https://github.com/mongodb/mongo/commit/fc9c412204fdb4876f706cb62a45c1e98b5543fb"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-6384.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}