{"id":"UBUNTU-CVE-2024-7553","details":"Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1. Required Configuration: Only environments with Windows as the underlying operating system is affected by this issue","modified":"2026-04-22T15:27:25.308302Z","published":"2024-08-07T10:15:00Z","upstream":["CVE-2024-7553"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-7553"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-7553"},{"type":"REPORT","url":"https://jira.mongodb.org/browse/PHPC-2369"},{"type":"REPORT","url":"https://jira.mongodb.org/browse/SERVER-93211"},{"type":"REPORT","url":"https://jira.mongodb.org/browse/CDRIVER-5650"}],"affected":[{"package":{"name":"mongodb","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/mongodb@1:2.4.9-1ubuntu2+esm2?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:2.4.6-0ubuntu5","1:2.4.6-0ubuntu6","1:2.4.8-1ubuntu1","1:2.4.8-2","1:2.4.9-1","1:2.4.9-1ubuntu1","1:2.4.9-1ubuntu2","1:2.4.9-1ubuntu2+esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"1:2.4.9-1ubuntu2+esm2","binary_name":"mongodb"},{"binary_version":"1:2.4.9-1ubuntu2+esm2","binary_name":"mongodb-clients"},{"binary_version":"1:2.4.9-1ubuntu2+esm2","binary_name":"mongodb-server"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7553.json"}},{"package":{"name":"mongodb","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/mongodb@1:2.6.10-0ubuntu1+esm2?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:2.6.10-0ubuntu1","1:2.6.10-0ubuntu1+esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"1:2.6.10-0ubuntu1+esm2","binary_name":"mongodb"},{"binary_version":"1:2.6.10-0ubuntu1+esm2","binary_name":"mongodb-clients"},{"binary_version":"1:2.6.10-0ubuntu1+esm2","binary_name":"mongodb-server"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7553.json"}},{"package":{"name":"php-mongodb","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/php-mongodb@1.1.5-1~build1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.1.2-2~ubuntu1","1.1.5-1~build1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.1.5-1~build1","binary_name":"php-mongodb"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7553.json"}},{"package":{"name":"mongodb","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/mongodb@1:3.6.3-0ubuntu1.4+esm2?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:3.4.7-1","1:3.4.7-1ubuntu1","1:3.4.7-1ubuntu2","1:3.4.7-1ubuntu4","1:3.4.14-3ubuntu1","1:3.4.14-3ubuntu2","1:3.6.3-0ubuntu1","1:3.6.3-0ubuntu1.1","1:3.6.3-0ubuntu1.3","1:3.6.3-0ubuntu1.4","1:3.6.3-0ubuntu1.4+esm1","1:3.6.3-0ubuntu1.4+esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"1:3.6.3-0ubuntu1.4+esm2","binary_name":"mongodb"},{"binary_version":"1:3.6.3-0ubuntu1.4+esm2","binary_name":"mongodb-clients"},{"binary_version":"1:3.6.3-0ubuntu1.4+esm2","binary_name":"mongodb-server"},{"binary_version":"1:3.6.3-0ubuntu1.4+esm2","binary_name":"mongodb-server-core"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7553.json"}},{"package":{"name":"php-mongodb","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/php-mongodb@1.3.4-1build1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.2.3-1build1","1.3.4-1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.3.4-1build1","binary_name":"php-mongodb"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7553.json"}},{"package":{"name":"mongo-c-driver","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/mongo-c-driver@1.16.1-1ubuntu0.1~esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.15.0-1","1.15.1-1","1.15.2-1","1.16.0-1","1.16.1-1","1.16.1-1build1","1.16.1-1build2","1.16.1-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.16.1-1ubuntu0.1~esm1","binary_name":"libbson-1.0-0"},{"binary_version":"1.16.1-1ubuntu0.1~esm1","binary_name":"libmongoc-1.0-0"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7553.json"}},{"package":{"name":"mongodb","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/mongodb@1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3+esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu2","1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5","1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2","1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3","1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3+esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3+esm1","binary_name":"mongodb"},{"binary_version":"1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3+esm1","binary_name":"mongodb-clients"},{"binary_version":"1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3+esm1","binary_name":"mongodb-server"},{"binary_version":"1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3+esm1","binary_name":"mongodb-server-core"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7553.json"}},{"package":{"name":"php-mongodb","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/php-mongodb@1.6.1-4build1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.5-1build1","1.6.1-4","1.6.1-4build1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.6.1-4build1","binary_name":"php-mongodb"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7553.json"}},{"package":{"name":"mongo-c-driver","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/mongo-c-driver@1.21.0-1build1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.18.0-1","1.19.1-1","1.19.2-1","1.20.0-1","1.20.0-1build1","1.20.1-1","1.21.0-1","1.21.0-1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.21.0-1build1","binary_name":"libbson-1.0-0"},{"binary_version":"1.21.0-1build1","binary_name":"libmongoc-1.0-0"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7553.json"}},{"package":{"name":"php-mongodb","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/php-mongodb@1.12.0+1.9.2+1.7.5-4?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.9.0+1.7.5-2build2","1.11.1+1.9.2+1.7.5-4","1.12.0+1.9.2+1.7.5-3","1.12.0+1.9.2+1.7.5-4"],"ecosystem_specific":{"binaries":[{"binary_version":"1.12.0+1.9.2+1.7.5-4","binary_name":"php-mongodb"},{"binary_version":"1.12.0+1.9.2+1.7.5-4","binary_name":"php8.1-mongodb"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7553.json"}},{"package":{"name":"mongo-c-driver","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/mongo-c-driver@1.26.0-1.1ubuntu2?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.24.3-1","1.24.4-1","1.25.1-1","1.25.2-1","1.25.4-1","1.26.0-1","1.26.0-1.1ubuntu1","1.26.0-1.1ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.26.0-1.1ubuntu2","binary_name":"libbson-1.0-0t64"},{"binary_version":"1.26.0-1.1ubuntu2","binary_name":"libmongoc-1.0-0t64"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7553.json"}},{"package":{"name":"php-mongodb","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/php-mongodb@1.15.0+1.11.1+1.9.2+1.7.5-1ubuntu3?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.15.0+1.11.1+1.9.2+1.7.5-1build1","1.15.0+1.11.1+1.9.2+1.7.5-1ubuntu1","1.15.0+1.11.1+1.9.2+1.7.5-1ubuntu2","1.15.0+1.11.1+1.9.2+1.7.5-1ubuntu3"],"ecosystem_specific":{"binaries":[{"binary_version":"1.15.0+1.11.1+1.9.2+1.7.5-1ubuntu3","binary_name":"php-mongodb"},{"binary_version":"1.15.0+1.11.1+1.9.2+1.7.5-1ubuntu3","binary_name":"php8.3-mongodb"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7553.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}