Mongodump 100.6.0 has CVE-2022-32149

Sri_Sai_Ram_Akam · July 13, 2023, 10:25am

mongodump 100.6.0 has CVE-2022-32149.
in which version it was fixed ?

Sri_Sai_Ram_Akam · July 13, 2023, 10:27am

also, the mongorestore has the same vulnerability. can you pleas share the version in which the issue was not present

Tarun_Gaur · July 19, 2023, 4:00am

Welcome back to The MongoDB Community Forums!

Please upgrade your database tools to latest version 100.7.3 via Download Database Tools.

The new version includes bug fixes as well as improvements, let me know if you face any issues.
I will be happy to help you.

Regards,
Tarun

Sri_Sai_Ram_Akam · July 23, 2023, 3:41pm

Hi @Tarun_Gaur, Thank you for your reply. But I want to know in which database tools version the go version was updated? and the vulnerability is resolved?
That would be more clear and appropriate to which version we can update.

Tarun_Gaur · July 26, 2023, 7:47am

Hello @Sri_Sai_Ram_Akam ,

As per my understanding, CVE-2022-32149 does not affect the Database tools.

In case you face any issues or have any queries, kindly feel free to post a new thread, will be happy to help you!

Regards,
Tarun

Sri_Sai_Ram_Akam · July 26, 2023, 11:58am

Hi @Tarun_Gaur
My concern is the Database tools 100.6.0 is built on GO version 1.17.10
which has the vulnerability CVE-2022-32149.
I think that should also affect the mongodump and mongorestore which we are using .
Kindly help with this.

mongodump --version
mongodump version: 100.6.0
git version: 1d46e6e7021f2f5668763dba624e34bb39208cb0
Go version: go1.17.10
os: windows
arch: amd64
compiler: gc

Tarun_Gaur · July 31, 2023, 6:46am

Hello @Sri_Sai_Ram_Akam ,

I got a confirmation from the team that CVE-2022-32149 does not affect the database tools.

Also, you can download our latest release from our Download Center that is Database Tools version 100.7.4 which is built upon Go version 1.19. Please refer Database Tools Changelog for more information.

Tarun