BugZero found this defect 51 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
3/29/2024
MongoDB Server
No affected releases provided.
No fixed releases provided.
When calling the UserCacheInvalidator::run() we first get the current version of the AuthorizationManager::_cacheGeneration. If this differs with our version we call invalidateUserCache() and replace our version with the one we collected on the first step. The problem here is that when calling invalidateUserCache() we update AuthorizationManager::_cacheGeneration so the first version we got will no longer be the most up to date version. The current code: // We get the current cacheGeneration version. auto swCurrentGeneration = getCurrentCacheGeneration(opCtx.get()); .... // We compare it with our version if (swCurrentGeneration.getValue() != _previousGeneration) { ... AuthorizationManager::get(opCtx->getService())->invalidateUserCache(); <---- this will generate a new _cacheGeneration so swCurrentGeneration is no longer the most up to date version. ... _previousGeneration = swCurrentGeneration.getValue(); } else { // If the above happened once then we will never hit this else statement. auto refreshStatus = _authzManager->refreshExternalUsers(opCtx.get()); We should update UserCacheInvalidator::_previousGeneration with the new _cacheGeneration version after calling invalidateUserCache();