All the vulnerabilites related to mongodb - mongodb
cve-2017-14227
Vulnerability from cvelistv5
Published
2017-09-09 08:00
Modified
2024-08-05 19:20
Severity ?
EPSS score ?
Summary
In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1489362 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/100825 | vdb-entry, x_refsource_BID | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1489355 | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1489356 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:20:41.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489362"
},
{
"name": "100825",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100825"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489355"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489356"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-09-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-15T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489362"
},
{
"name": "100825",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100825"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489355"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489356"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14227",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1489362",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489362"
},
{
"name": "100825",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100825"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1489355",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489355"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1489356",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489356"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14227",
"datePublished": "2017-09-09T08:00:00",
"dateReserved": "2017-09-09T00:00:00",
"dateUpdated": "2024-08-05T19:20:41.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-6494
Vulnerability from cvelistv5
Published
2016-10-03 18:00
Modified
2024-08-06 01:29
Severity ?
EPSS score ?
Summary
The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1362553 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2016/07/29/8 | mailing-list, x_refsource_MLIST | |
| https://github.com/mongodb/mongo/commit/035cf2afc04988b22cb67f4ebfd77e9b344cb6e0 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/92204 | vdb-entry, x_refsource_BID | |
| https://jira.mongodb.org/browse/SERVER-25335 | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5MCE2ZLFBNOK3TTWSTXZJQGZVP4EEJDL/ | vendor-advisory, x_refsource_FEDORA | |
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2016/07/29/4 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:29:20.087Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1362553"
},
{
"name": "[oss-security] 20160729 Re: CVE request: mongodb: world-readable .dbshell history file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/07/29/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mongodb/mongo/commit/035cf2afc04988b22cb67f4ebfd77e9b344cb6e0"
},
{
"name": "92204",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92204"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-25335"
},
{
"name": "FEDORA-2016-9a8e2bbc04",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5MCE2ZLFBNOK3TTWSTXZJQGZVP4EEJDL/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908"
},
{
"name": "[oss-security] 20160729 CVE request: mongodb: world-readable .dbshell history file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/07/29/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-07-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-10-03T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1362553"
},
{
"name": "[oss-security] 20160729 Re: CVE request: mongodb: world-readable .dbshell history file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/07/29/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mongodb/mongo/commit/035cf2afc04988b22cb67f4ebfd77e9b344cb6e0"
},
{
"name": "92204",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92204"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-25335"
},
{
"name": "FEDORA-2016-9a8e2bbc04",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5MCE2ZLFBNOK3TTWSTXZJQGZVP4EEJDL/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908"
},
{
"name": "[oss-security] 20160729 CVE request: mongodb: world-readable .dbshell history file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/07/29/4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6494",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1362553",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1362553"
},
{
"name": "[oss-security] 20160729 Re: CVE request: mongodb: world-readable .dbshell history file",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/07/29/8"
},
{
"name": "https://github.com/mongodb/mongo/commit/035cf2afc04988b22cb67f4ebfd77e9b344cb6e0",
"refsource": "CONFIRM",
"url": "https://github.com/mongodb/mongo/commit/035cf2afc04988b22cb67f4ebfd77e9b344cb6e0"
},
{
"name": "92204",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92204"
},
{
"name": "https://jira.mongodb.org/browse/SERVER-25335",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-25335"
},
{
"name": "FEDORA-2016-9a8e2bbc04",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5MCE2ZLFBNOK3TTWSTXZJQGZVP4EEJDL/"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908"
},
{
"name": "[oss-security] 20160729 CVE request: mongodb: world-readable .dbshell history file",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/07/29/4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6494",
"datePublished": "2016-10-03T18:00:00",
"dateReserved": "2016-07-29T00:00:00",
"dateUpdated": "2024-08-06T01:29:20.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-7921
Vulnerability from cvelistv5
Published
2020-05-06 14:55
Modified
2024-11-18 17:30
Severity ?
EPSS score ?
Summary
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-45472 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.2 < 4.2.3 Version: 4.0 < 4.0.15 Version: 3.6 < 3.6.18 Version: 4.3 < 4.3.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:23.861Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-45472"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-7921",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-18T17:30:25.374875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T17:30:33.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.2.3",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "4.0.15",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "3.6.18",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "4.3.3",
"status": "affected",
"version": "4.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Discovered by Tony Yesudas."
}
],
"datePublic": "2020-05-06T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eImproper serialization of internal state in the authorization subsystem in MongoDB Server\u0027s authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "\nImproper serialization of internal state in the authorization subsystem in MongoDB Server\u0027s authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-182",
"description": "CWE-182: Collapse of Data into Unsafe Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T15:07:03.921Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-45472"
}
],
"source": {
"defect": [
"SECURITY-625"
],
"discovery": "USER"
},
"title": "Administrative action may disable enforcement of per-user IP whitelisting",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"ID": "CVE-2020-7921",
"STATE": "PUBLIC",
"TITLE": "Administrative action may disable enforcement of per-user IP whitelisting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.2",
"version_value": "4.2.3"
},
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.15"
},
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.18"
},
{
"version_affected": "\u003c",
"version_name": "4.3",
"version_value": "4.3.3"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Tony Yesudas."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper serialization of internal state in the authorization subsystem in MongoDB Server\u0027s authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-182"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-45472",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-45472"
}
]
},
"source": {
"defect": [
"SECURITY-625"
],
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2020-7921",
"datePublished": "2020-05-06T14:55:12",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-11-18T17:30:33.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20925
Vulnerability from cvelistv5
Published
2020-11-24 11:00
Modified
2024-09-16 23:45
Severity ?
EPSS score ?
Summary
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-43751 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.2 < 4.2.1 Version: 4.0 < 4.0.13 Version: 3.6 < 3.6.15 Version: 3.4 < 3.4.24 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:17.403Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-43751"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "4.0.13",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "3.6.15",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "3.4.24",
"status": "affected",
"version": "3.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.\u003c/p\u003e"
}
],
"value": "An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-839",
"description": "CWE-839: Numeric Range Comparison Without Minimum Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T15:04:48.719Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-43751"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Denial of service via malformed network packet",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-24T17:00:00.000Z",
"ID": "CVE-2019-20925",
"STATE": "PUBLIC",
"TITLE": "Denial of service via malformed network packet"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.2",
"version_value": "4.2.1"
},
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.13"
},
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.15"
},
{
"version_affected": "\u003c",
"version_name": "3.4",
"version_value": "3.4.24"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15; v3.4 versions prior to 3.4.24."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-839: Numeric Range Comparison Without Minimum Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-43751",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-43751"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2019-20925",
"datePublished": "2020-11-24T11:00:16.027516Z",
"dateReserved": "2020-10-06T00:00:00",
"dateUpdated": "2024-09-16T23:45:46.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20804
Vulnerability from cvelistv5
Published
2020-11-23 15:15
Modified
2024-09-17 02:10
Severity ?
EPSS score ?
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and MongoDB Server v3.6 versions prior to 3.6.13.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-35636 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 3.6 < 3.6.13 Version: 4.0 < 4.0.10 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:28.213Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-35636"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "3.6.13",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "4.0.10",
"status": "affected",
"version": "4.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and\u0026nbsp;MongoDB Server v3.6 versions prior to 3.6.13.\u003c/p\u003e"
}
],
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and\u00a0MongoDB Server v3.6 versions prior to 3.6.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T14:27:01.952Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-35636"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Invariant failure in applyOps",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-30T14:00:00.000Z",
"ID": "CVE-2018-20804",
"STATE": "PUBLIC",
"TITLE": "Invariant failure in applyOps"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.13"
},
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.10"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.10; v3.6 versions prior to 3.6.13."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-35636",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-35636"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2018-20804",
"datePublished": "2020-11-23T15:15:14.421540Z",
"dateReserved": "2019-03-15T00:00:00",
"dateUpdated": "2024-09-17T02:10:48.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-7929
Vulnerability from cvelistv5
Published
2021-03-01 16:05
Modified
2024-09-16 19:46
Severity ?
EPSS score ?
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-51083 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 3.6 < 3.6.21 Version: 4.0 < 4.0.20 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:24.522Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-51083"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mongodb",
"vendor": "mongodb",
"versions": [
{
"lessThan": "3.6.21",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "4.0.20",
"status": "affected",
"version": "4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-7929",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-23T18:12:01.677275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T17:22:54.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "3.6.21",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "4.0.20",
"status": "affected",
"version": "4.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-02-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.\u003c/p\u003e"
}
],
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-185",
"description": "CWE-185 Incorrect Regular Expression",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T15:49:00.951Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-51083"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Specially crafted regex query can cause DoS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2021-02-26T17:00:00.000Z",
"ID": "CVE-2020-7929",
"STATE": "PUBLIC",
"TITLE": "Specially crafted regex query can cause DoS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.21"
},
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.20"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-185 Incorrect Regular Expression"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-51083",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-51083"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2020-7929",
"datePublished": "2021-03-01T16:05:17.498045Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-16T19:46:52.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32037
Vulnerability from cvelistv5
Published
2021-11-24 10:40
Modified
2024-09-16 22:26
Severity ?
EPSS score ?
Summary
An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-59071 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 5.0 < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:17:28.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-59071"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mongodb",
"vendor": "mongodb",
"versions": [
{
"lessThanOrEqual": "5.0.2",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-32037",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-24T16:19:37.309389Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T17:09:26.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThanOrEqual": "5.0.2",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.2.\u003c/p\u003e"
}
],
"value": "An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T16:23:54.539Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-59071"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "User may trigger invariant when allowed to send commands directly to shards",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2021-11-24T14:09:00.000Z",
"ID": "CVE-2021-32037",
"STATE": "PUBLIC",
"TITLE": "User may trigger invariant when allowed to send commands directly to shards"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "5.0",
"version_value": "5.0.2"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-617 Reachable Assertion"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-59071",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-59071"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2021-32037",
"datePublished": "2021-11-24T10:40:10.557726Z",
"dateReserved": "2021-05-05T00:00:00",
"dateUpdated": "2024-09-16T22:26:43.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-8305
Vulnerability from cvelistv5
Published
2024-10-21 14:10
Modified
2024-10-21 15:50
Severity ?
EPSS score ?
Summary
prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions prior to 7.0.13 and MongoDB Server v7.3 versions prior to 7.3.4
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc | MongoDB Server |
Version: 6.0 < 6.0.17 Version: 7.0 < 7.0.13 Version: 7.3 < 7.3.4 cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.3:*:*:*:*:*:*:* |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8305",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T15:49:58.398090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T15:50:06.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "6.0.17",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.13",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "7.3.4",
"status": "affected",
"version": "7.3",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-10-21T14:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eprepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions prior to 7.0.13 and MongoDB Server v7.3 versions prior to 7.3.4\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions prior to 7.0.13 and MongoDB Server v7.3 versions prior to 7.3.4"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1288",
"description": "CWE-1288: Improper Validation of Consistency within Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T14:10:31.079Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-92382"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "MongoDB Server secondaries may crash due to forced index constraints",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2024-8305",
"datePublished": "2024-10-21T14:10:31.079Z",
"dateReserved": "2024-08-29T08:20:09.655Z",
"dateUpdated": "2024-10-21T15:50:06.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20923
Vulnerability from cvelistv5
Published
2020-11-23 15:30
Modified
2024-09-16 17:03
Severity ?
EPSS score ?
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects MongoDB Server v4.0 versions prior to 4.0.7.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-39481 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.0 < 4.0.7 |
|
|
|||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb_server:4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mongodb_server",
"vendor": "mongodb",
"versions": [
{
"status": "affected",
"version": "4.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-20923",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T17:28:47.037349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T17:19:26.516Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:19.094Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-39481"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.0.7",
"status": "affected",
"version": "4.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine\u0027s internals. This issue affects MongoDB Server v4.0 versions prior to 4.0.7.\u003c/p\u003e"
}
],
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine\u0027s internals. This issue affects MongoDB Server v4.0 versions prior to 4.0.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749 Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T15:01:36.205Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-39481"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Crash while handling internal Javascript exception types",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-30T14:00:00.000Z",
"ID": "CVE-2019-20923",
"STATE": "PUBLIC",
"TITLE": "Crash while handling internal Javascript exception types"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.7"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine\u0027s internals. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.7."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-749 Exposed Dangerous Method or Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-39481",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-39481"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2019-20923",
"datePublished": "2020-11-23T15:30:20.507217Z",
"dateReserved": "2020-10-06T00:00:00",
"dateUpdated": "2024-09-16T17:03:47.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-3971
Vulnerability from cvelistv5
Published
2014-12-25 11:00
Modified
2024-08-06 10:57
Severity ?
EPSS score ?
Summary
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mongodb/mongo/commit/c151e0660b9736fe66b224f1129a16871165251b | x_refsource_CONFIRM | |
| https://jira.mongodb.org/browse/SERVER-13753 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:17.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mongodb/mongo/commit/c151e0660b9736fe66b224f1129a16871165251b"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-13753"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-12-25T06:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mongodb/mongo/commit/c151e0660b9736fe66b224f1129a16871165251b"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-13753"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3971",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mongodb/mongo/commit/c151e0660b9736fe66b224f1129a16871165251b",
"refsource": "CONFIRM",
"url": "https://github.com/mongodb/mongo/commit/c151e0660b9736fe66b224f1129a16871165251b"
},
{
"name": "https://jira.mongodb.org/browse/SERVER-13753",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-13753"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3971",
"datePublished": "2014-12-25T11:00:00",
"dateReserved": "2014-06-04T00:00:00",
"dateUpdated": "2024-08-06T10:57:17.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-3104
Vulnerability from cvelistv5
Published
2017-04-14 18:00
Modified
2024-08-05 23:47
Severity ?
EPSS score ?
Summary
mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1324496 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/94929 | vdb-entry, x_refsource_BID | |
| https://jira.mongodb.org/browse/SERVER-24378 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T23:47:56.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1324496"
},
{
"name": "94929",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94929"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-24378"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-04-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-14T16:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1324496"
},
{
"name": "94929",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94929"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-24378"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-3104",
"datePublished": "2017-04-14T18:00:00",
"dateReserved": "2016-03-10T00:00:00",
"dateUpdated": "2024-08-05T23:47:56.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-25004
Vulnerability from cvelistv5
Published
2021-03-01 16:15
Modified
2024-11-19 15:42
Severity ?
EPSS score ?
Summary
A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-38275 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 3.6 < 3.6.11 Version: 4.0 < 4.0.6 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.551Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-38275"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25004",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-26T18:55:11.972039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T15:42:57.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "3.6.11",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "4.0.6",
"status": "affected",
"version": "4.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-02-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11.\u003c/p\u003e"
}
],
"value": "A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "FUNCTIONAL",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.8,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T14:30:20.718Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-38275"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Invariant failure when explaining a find with a UUID",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2021-02-26T17:00:00.000Z",
"ID": "CVE-2018-25004",
"STATE": "PUBLIC",
"TITLE": "Invariant failure when explaining a find with a UUID"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.11"
},
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.6"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.6; MongoDB Server v3.6 versions prior to 3.6.11."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:F/RL:U/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-38275",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-38275"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2018-25004",
"datePublished": "2021-03-01T16:15:14.484681Z",
"dateReserved": "2021-01-29T00:00:00",
"dateUpdated": "2024-11-19T15:42:57.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-2132
Vulnerability from cvelistv5
Published
2013-08-15 17:00
Modified
2024-08-06 15:27
Severity ?
EPSS score ?
Summary
bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an "invalid DBRef."
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.opensuse.org/opensuse-updates/2013-06/msg00180.html | vendor-advisory, x_refsource_SUSE | |
| http://ubuntu.com/usn/usn-1897-1 | vendor-advisory, x_refsource_UBUNTU | |
| http://www.osvdb.org/93804 | vdb-entry, x_refsource_OSVDB | |
| https://jira.mongodb.org/browse/PYTHON-532 | x_refsource_MISC | |
| https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2 | x_refsource_MISC | |
| http://seclists.org/oss-sec/2013/q2/447 | mailing-list, x_refsource_MLIST | |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710597 | x_refsource_MISC | |
| http://www.debian.org/security/2013/dsa-2705 | vendor-advisory, x_refsource_DEBIAN | |
| http://www.securityfocus.com/bid/60252 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:27:40.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2013:1064",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00180.html"
},
{
"name": "USN-1897-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://ubuntu.com/usn/usn-1897-1"
},
{
"name": "93804",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/93804"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/PYTHON-532"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2"
},
{
"name": "[oss-security] 20130531 Re: CVE-2013-2132 MongoDB: User-triggerable NULL pointer dereference due to utter plebbery",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q2/447"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710597"
},
{
"name": "DSA-2705",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2013/dsa-2705"
},
{
"name": "60252",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/60252"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an \"invalid DBRef.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-08-15T17:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "openSUSE-SU-2013:1064",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00180.html"
},
{
"name": "USN-1897-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://ubuntu.com/usn/usn-1897-1"
},
{
"name": "93804",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/93804"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/PYTHON-532"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2"
},
{
"name": "[oss-security] 20130531 Re: CVE-2013-2132 MongoDB: User-triggerable NULL pointer dereference due to utter plebbery",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q2/447"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710597"
},
{
"name": "DSA-2705",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2013/dsa-2705"
},
{
"name": "60252",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/60252"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2132",
"datePublished": "2013-08-15T17:00:00Z",
"dateReserved": "2013-02-19T00:00:00Z",
"dateUpdated": "2024-08-06T15:27:40.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-20330
Vulnerability from cvelistv5
Published
2021-12-15 12:30
Modified
2024-09-16 17:23
Severity ?
EPSS score ?
Summary
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-36263 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.0 < 4.0.27 Version: 4.2 < 4.2.16 Version: 4.4 < 4.4.9 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:37:23.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-36263"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mongodb",
"vendor": "mongodb",
"versions": [
{
"lessThan": "4.0.27",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "4.2.18",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "4.4.9",
"status": "affected",
"version": "4.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-20330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-23T21:25:43.265292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T17:08:47.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.0.27",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "4.2.16",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "4.4.9",
"status": "affected",
"version": "4.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-12-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.\u003c/p\u003e"
}
],
"value": "An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T16:07:57.784Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-36263"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Specific replication command with malformed oplog entries can crash secondaries",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2021-12-15T16:00:00.000Z",
"ID": "CVE-2021-20330",
"STATE": "PUBLIC",
"TITLE": "Specific replication command with malformed oplog entries can crash secondaries"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.27"
},
{
"version_affected": "\u003c",
"version_name": "4.2",
"version_value": "4.2.16"
},
{
"version_affected": "\u003c",
"version_name": "4.4",
"version_value": "4.4.9"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to 4.2.14; MongoDB Server v4.4 versions prior to 4.4.6."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-36263",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-36263"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2021-20330",
"datePublished": "2021-12-15T12:30:10.405212Z",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-09-16T17:23:58.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-15535
Vulnerability from cvelistv5
Published
2017-11-01 01:00
Modified
2024-08-05 19:57
Severity ?
EPSS score ?
Summary
MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/101689 | vdb-entry, x_refsource_BID | |
| https://jira.mongodb.org/browse/SERVER-31273 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:57:26.295Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "101689",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101689"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-31273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-10-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-08T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "101689",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101689"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-31273"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15535",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "101689",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101689"
},
{
"name": "https://jira.mongodb.org/browse/SERVER-31273",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-31273"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15535",
"datePublished": "2017-11-01T01:00:00",
"dateReserved": "2017-10-17T00:00:00",
"dateUpdated": "2024-08-05T19:57:26.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20924
Vulnerability from cvelistv5
Published
2020-11-23 15:30
Modified
2024-09-16 20:21
Severity ?
EPSS score ?
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Server v4.2 versions prior to 4.2.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-44377 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.2 < 4.2.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:17.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-44377"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.2.2",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-12-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Server v4.2 versions prior to 4.2.2.\u003c/p\u003e"
}
],
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Server v4.2 versions prior to 4.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-394",
"description": "CWE-394 Unexpected Status Code or Return Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T15:02:20.333Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-44377"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Invariant in IndexBoundsBuilder",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-12-01T14:00:00.000Z",
"ID": "CVE-2019-20924",
"STATE": "PUBLIC",
"TITLE": "Invariant in IndexBoundsBuilder"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.2",
"version_value": "4.2.2"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-394 Unexpected Status Code or Return Value"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-44377",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-44377"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2019-20924",
"datePublished": "2020-11-23T15:30:16.137845Z",
"dateReserved": "2020-10-06T00:00:00",
"dateUpdated": "2024-09-16T20:21:35.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-2390
Vulnerability from cvelistv5
Published
2019-08-30 14:41
Modified
2024-08-04 18:49
Severity ?
EPSS score ?
Summary
An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-42233 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.0 < 4.0.11 Version: 3.6 < 3.6.14 Version: 3.4 < 3.4.22 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:49:47.495Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-42233"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.0.11",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "3.6.14",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "3.4.22",
"status": "affected",
"version": "3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rich Mirch"
}
],
"datePublic": "2019-08-30T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eAn unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "\nAn unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T14:45:03.722Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-42233"
}
],
"source": {
"defect": [
"SECURITY-588"
],
"discovery": "EXTERNAL"
},
"title": "Code execution on Windows via OpenSSL engine injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"ID": "CVE-2019-2390",
"STATE": "PUBLIC",
"TITLE": "Code execution on Windows via OpenSSL engine injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.11"
},
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.14"
},
{
"version_affected": "\u003c",
"version_name": "3.4",
"version_value": "3.4.22"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Rich Mirch"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue affects: MongoDB Inc. MongoDB Server 4.0 prior to 4.0.11; 3.6 prior to 3.6.14; 3.4 prior to 3.4.22."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-42233",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-42233"
}
]
},
"source": {
"defect": [
"SECURITY-588"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2019-2390",
"datePublished": "2019-08-30T14:41:19",
"dateReserved": "2018-12-10T00:00:00",
"dateUpdated": "2024-08-04T18:49:47.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-2665
Vulnerability from cvelistv5
Published
2018-07-06 13:00
Modified
2024-08-05 14:02
Severity ?
EPSS score ?
Summary
The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. Any local user who has access to system running skyring service will be able to get password in plain text.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/97612 | vdb-entry, x_refsource_BID | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2665 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | [UNKNOWN] | rhscon-core |
Version: n/a |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:02:07.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "97612",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97612"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2665"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "rhscon-core",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-04-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. Any local user who has access to system running skyring service will be able to get password in plain text."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-07T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "97612",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97612"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2665"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-2665",
"datePublished": "2018-07-06T13:00:00",
"dateReserved": "2016-12-01T00:00:00",
"dateUpdated": "2024-08-05T14:02:07.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24272
Vulnerability from cvelistv5
Published
2022-04-21 10:45
Modified
2024-09-16 16:27
Severity ?
EPSS score ?
Summary
An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-63968 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 5.0 < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:07:02.637Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-63968"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThanOrEqual": "5.0.6",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-05-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617: Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-11T14:45:45",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-63968"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "MongoDB Server (mongod) may crash in response to unexpected requests",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2022-05-11T17:19:00.000Z",
"ID": "CVE-2022-24272",
"STATE": "PUBLIC",
"TITLE": "MongoDB Server (mongod) may crash in response to unexpected requests"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "5.0",
"version_value": "5.0.6"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-617: Reachable Assertion"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-63968",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-63968"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2022-24272",
"datePublished": "2022-04-21T10:45:11.960475Z",
"dateReserved": "2022-01-31T00:00:00",
"dateUpdated": "2024-09-16T16:27:52.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-6619
Vulnerability from cvelistv5
Published
2014-03-06 15:00
Modified
2024-08-06 21:36
Severity ?
EPSS score ?
Summary
The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2014/01/07/13 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2014/01/07/2 | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2014-0230.html | vendor-advisory, x_refsource_REDHAT | |
| https://jira.mongodb.org/browse/SERVER-7769 | x_refsource_CONFIRM | |
| http://blog.ptsecurity.com/2012/11/attacking-mongodb.html | x_refsource_MISC | |
| http://rhn.redhat.com/errata/RHSA-2014-0440.html | vendor-advisory, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1049748 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2014/01/08/9 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:36:01.807Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20140107 Re: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/01/07/13"
},
{
"name": "[oss-security] 20140107 MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/01/07/2"
},
{
"name": "RHSA-2014:0230",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0230.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-7769"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.ptsecurity.com/2012/11/attacking-mongodb.html"
},
{
"name": "RHSA-2014:0440",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0440.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049748"
},
{
"name": "[oss-security] 20140108 Re: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/01/08/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-11-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-30T12:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20140107 Re: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2014/01/07/13"
},
{
"name": "[oss-security] 20140107 MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2014/01/07/2"
},
{
"name": "RHSA-2014:0230",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0230.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-7769"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.ptsecurity.com/2012/11/attacking-mongodb.html"
},
{
"name": "RHSA-2014:0440",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0440.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049748"
},
{
"name": "[oss-security] 20140108 Re: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2014/01/08/9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6619",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140107 Re: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2014/01/07/13"
},
{
"name": "[oss-security] 20140107 MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2014/01/07/2"
},
{
"name": "RHSA-2014:0230",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0230.html"
},
{
"name": "https://jira.mongodb.org/browse/SERVER-7769",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-7769"
},
{
"name": "http://blog.ptsecurity.com/2012/11/attacking-mongodb.html",
"refsource": "MISC",
"url": "http://blog.ptsecurity.com/2012/11/attacking-mongodb.html"
},
{
"name": "RHSA-2014:0440",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0440.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1049748",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049748"
},
{
"name": "[oss-security] 20140108 Re: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2014/01/08/9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-6619",
"datePublished": "2014-03-06T15:00:00",
"dateReserved": "2014-01-07T00:00:00",
"dateUpdated": "2024-08-06T21:36:01.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-8207
Vulnerability from cvelistv5
Published
2024-08-27 11:28
Modified
2024-08-27 13:02
Severity ?
EPSS score ?
Summary
In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3.
Required Configuration: Only environments with Linux as the underlying operating system is affected by this issue
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc | MongoDB Server |
Version: 6.0 < 6.0.3 Version: 5.0 < 5.0.14 cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8207",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T13:02:38.851298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T13:02:51.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "6.0.3",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "5.0.14",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOnly environments with Linux as the underlying operating system is affected by this issue\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Only environments with Linux as the underlying operating system is affected by this issue"
}
],
"datePublic": "2024-08-27T10:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3.\u003c/p\u003e\u003cp\u003eRequired Configuration: Only environments with Linux as the underlying operating system is affected by this issue\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3.\n\nRequired Configuration: Only environments with Linux as the underlying operating system is affected by this issue"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-114",
"description": "CWE-114: Process Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T11:28:06.891Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-69507"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "MongoDB Server binaries may load potentially insecure shared libraries from specific relative paths",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2024-8207",
"datePublished": "2024-08-27T11:28:06.891Z",
"dateReserved": "2024-08-27T09:59:41.085Z",
"dateUpdated": "2024-08-27T13:02:51.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32039
Vulnerability from cvelistv5
Published
2022-01-20 14:50
Modified
2024-09-17 01:51
Severity ?
EPSS score ?
Summary
Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mongodb-js/vscode/releases/tag/v0.8.0 | x_refsource_MISC | |
| https://jira.mongodb.org/browse/VSCODE-313 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB for VS Code |
Version: MongoDB for VS Code < |
|
|
|||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mongodb",
"vendor": "mongodb",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-32039",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T18:21:40.886484Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:13:21.338Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:17:28.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/VSCODE-313"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB for VS Code",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThanOrEqual": "0.7.0",
"status": "affected",
"version": "MongoDB for VS Code",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-01-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUsers with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0\u003c/p\u003e"
}
],
"value": "Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T16:28:19.416Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/VSCODE-313"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2022-01-20T18:13:00.000Z",
"ID": "CVE-2021-32039",
"STATE": "PUBLIC",
"TITLE": "MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB for VS Code",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "MongoDB for VS Code",
"version_value": "0.7.0"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522: Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0",
"refsource": "MISC",
"url": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0"
},
{
"name": "https://jira.mongodb.org/browse/VSCODE-313",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/VSCODE-313"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2021-32039",
"datePublished": "2022-01-20T14:50:10.319200Z",
"dateReserved": "2021-05-05T00:00:00",
"dateUpdated": "2024-09-17T01:51:09.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-6384
Vulnerability from cvelistv5
Published
2024-08-13 14:22
Modified
2024-11-15 13:08
Severity ?
EPSS score ?
Summary
"Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc | MongoDB Server |
Version: 6.0 < 6.0.16 Version: 7.0 < 7.0.11 Version: 7.3 < 7.3.3 cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.1:*:*:*:enterprise:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.2:*:*:*:enterprise:*:*:* |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-13T16:05:08.483694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T16:05:21.601Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-15T13:08:20.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20241115-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.1:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.2:*:*:*:enterprise:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "6.0.16",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.11",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "7.3.3",
"status": "affected",
"version": "7.3",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-08-13T14:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\"Hot\" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "\"Hot\" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T14:22:22.847Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-93516"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Backup files may be downloaded by underprivileged users in MongoDB Enterprise Server",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2024-6384",
"datePublished": "2024-08-13T14:22:22.847Z",
"dateReserved": "2024-06-27T08:53:38.261Z",
"dateUpdated": "2024-11-15T13:08:20.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-7926
Vulnerability from cvelistv5
Published
2020-11-23 15:05
Modified
2024-09-16 20:36
Severity ?
EPSS score ?
Summary
A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects MongoDB Server v4.4 versions prior to 4.4.1. Versions before 4.4 are not affected.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-50170 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.4 < 4.4.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:23.862Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-50170"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects MongoDB Server v4.4 versions prior to 4.4.1. Versions before 4.4 are not affected.\u003c/p\u003e"
}
],
"value": "A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects MongoDB Server v4.4 versions prior to 4.4.1. Versions before 4.4 are not affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T15:41:03.691Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-50170"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Specific query can cause a DoS against MongoDB Server",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-30T14:00:00.000Z",
"ID": "CVE-2020-7926",
"STATE": "PUBLIC",
"TITLE": "Specific query can cause a DoS against MongoDB Server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.4",
"version_value": "4.4.1"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects: MongoDB Server version 4.4 prior to 4.4.1. Versions before 4.4 are not affected."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-755 Improper Handling of Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-50170",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-50170"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2020-7926",
"datePublished": "2020-11-23T15:05:15.299714Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-16T20:36:34.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-1609
Vulnerability from cvelistv5
Published
2015-03-30 14:00
Modified
2024-08-06 04:47
Severity ?
EPSS score ?
Summary
MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152493.html | vendor-advisory, x_refsource_FEDORA | |
| https://security.gentoo.org/glsa/201611-13 | vendor-advisory, x_refsource_GENTOO | |
| http://www.splunk.com/view/SP-CAAAPC3 | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1034466 | vdb-entry, x_refsource_SECTRACK | |
| http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153690.html | vendor-advisory, x_refsource_FEDORA | |
| https://jira.mongodb.org/browse/SERVER-17264 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:47:17.478Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2015-4003",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152493.html"
},
{
"name": "GLSA-201611-13",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201611-13"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.splunk.com/view/SP-CAAAPC3"
},
{
"name": "1034466",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034466"
},
{
"name": "FEDORA-2015-4197",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153690.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-17264"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-30T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "FEDORA-2015-4003",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152493.html"
},
{
"name": "GLSA-201611-13",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201611-13"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.splunk.com/view/SP-CAAAPC3"
},
{
"name": "1034466",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1034466"
},
{
"name": "FEDORA-2015-4197",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153690.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-17264"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1609",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2015-4003",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152493.html"
},
{
"name": "GLSA-201611-13",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201611-13"
},
{
"name": "http://www.splunk.com/view/SP-CAAAPC3",
"refsource": "CONFIRM",
"url": "http://www.splunk.com/view/SP-CAAAPC3"
},
{
"name": "1034466",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034466"
},
{
"name": "FEDORA-2015-4197",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153690.html"
},
{
"name": "https://jira.mongodb.org/browse/SERVER-17264",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-17264"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-1609",
"datePublished": "2015-03-30T14:00:00",
"dateReserved": "2015-02-15T00:00:00",
"dateUpdated": "2024-08-06T04:47:17.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-7925
Vulnerability from cvelistv5
Published
2020-11-23 14:50
Modified
2024-09-17 00:20
Severity ?
EPSS score ?
Summary
Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc12; MongoDB Server v4.2 versions prior to 4.2.9.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-49142 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.2 < 4.2.9 Version: 4.4 < 4.4.0-rc12 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:23.889Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-49142"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "4.4.0-rc12",
"status": "affected",
"version": "4.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc12; MongoDB Server v4.2 versions prior to 4.2.9.\u003c/p\u003e"
}
],
"value": "Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc12; MongoDB Server v4.2 versions prior to 4.2.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-475",
"description": "CWE-475 Undefined Behavior for Input to API",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T15:38:49.622Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-49142"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Denial of Service when processing malformed Role names",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-30T14:00:00.000Z",
"ID": "CVE-2020-7925",
"STATE": "PUBLIC",
"TITLE": "Denial of Service when processing malformed Role names"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.2",
"version_value": "4.2.9"
},
{
"version_affected": "\u003c",
"version_name": "4.4",
"version_value": "4.4.0-rc12"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-475 Undefined Behavior for Input to API"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-49142",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-49142"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2020-7925",
"datePublished": "2020-11-23T14:50:12.258045Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-17T00:20:32.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-3969
Vulnerability from cvelistv5
Published
2013-10-01 20:00
Modified
2024-09-16 16:24
Severity ?
EPSS score ?
Summary
The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2013/07/30/10 | mailing-list, x_refsource_MLIST | |
| http://blog.scrt.ch/2013/06/04/mongodb-rce-by-databasespraying/ | x_refsource_MISC | |
| http://secunia.com/advisories/54170 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.mongodb.org/about/alerts/ | x_refsource_CONFIRM | |
| https://jira.mongodb.org/browse/SERVER-9878 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:30:49.362Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20130730 Re: CVE Request - MongoDB \u003c=2.4.4 uninitialized object",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/07/30/10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.scrt.ch/2013/06/04/mongodb-rce-by-databasespraying/"
},
{
"name": "54170",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/54170"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.mongodb.org/about/alerts/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-9878"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-10-01T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20130730 Re: CVE Request - MongoDB \u003c=2.4.4 uninitialized object",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/07/30/10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.scrt.ch/2013/06/04/mongodb-rce-by-databasespraying/"
},
{
"name": "54170",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/54170"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.mongodb.org/about/alerts/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-9878"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-3969",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20130730 Re: CVE Request - MongoDB \u003c=2.4.4 uninitialized object",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/07/30/10"
},
{
"name": "http://blog.scrt.ch/2013/06/04/mongodb-rce-by-databasespraying/",
"refsource": "MISC",
"url": "http://blog.scrt.ch/2013/06/04/mongodb-rce-by-databasespraying/"
},
{
"name": "54170",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/54170"
},
{
"name": "http://www.mongodb.org/about/alerts/",
"refsource": "CONFIRM",
"url": "http://www.mongodb.org/about/alerts/"
},
{
"name": "https://jira.mongodb.org/browse/SERVER-9878",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-9878"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-3969",
"datePublished": "2013-10-01T20:00:00Z",
"dateReserved": "2013-06-06T00:00:00Z",
"dateUpdated": "2024-09-16T16:24:09.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-7882
Vulnerability from cvelistv5
Published
2019-07-19 15:44
Modified
2024-08-06 08:06
Severity ?
EPSS score ?
Summary
Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-20691 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:06:29.903Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-20691"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-19T15:44:44",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-20691"
}
],
"source": {
"defect": [
"SECURITY-336"
],
"discovery": "INTERNAL"
},
"title": "Authentication bypass when using LDAP authentication in MongoDB Enterprise Server",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7882",
"STATE": "PUBLIC",
"TITLE": "Authentication bypass when using LDAP authentication in MongoDB Enterprise Server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-20691",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-20691"
}
]
},
"source": {
"defect": [
"SECURITY-336"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7882",
"datePublished": "2019-07-19T15:44:44",
"dateReserved": "2015-10-21T00:00:00",
"dateUpdated": "2024-08-06T08:06:29.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32036
Vulnerability from cvelistv5
Published
2022-02-04 22:33
Modified
2024-11-19 19:12
Severity ?
EPSS score ?
Summary
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-59294 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 5.0 < Version: 4.4 < Version: 4.2 < Version: 4.0 < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:17:29.135Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-59294"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-32036",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-26T19:15:53.093536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T19:12:46.061Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThanOrEqual": "5.0.3",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.4.9",
"status": "affected",
"version": "4.4",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.2.16",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.0.28",
"status": "affected",
"version": "4.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-02-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28\u003c/p\u003e"
}
],
"value": "An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T16:27:13.617Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-59294"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Denial of Service and Data Integrity vulnerability in features command",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2022-02-04T17:38:00.000Z",
"ID": "CVE-2021-32036",
"STATE": "PUBLIC",
"TITLE": "Denial of Service and Data Integrity vulnerability in features command"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "5.0",
"version_value": "5.0.3"
},
{
"version_affected": "\u003c=",
"version_name": "4.4",
"version_value": "4.4.9"
},
{
"version_affected": "\u003c=",
"version_name": "4.2",
"version_value": "4.2.16"
},
{
"version_affected": "\u003c=",
"version_name": "4.0",
"version_value": "4.0.28"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-770: Allocation of Resources Without Limits or Throttling"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-59294",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-59294"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2021-32036",
"datePublished": "2022-02-04T22:33:08.292976Z",
"dateReserved": "2021-05-05T00:00:00",
"dateUpdated": "2024-11-19T19:12:46.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-2393
Vulnerability from cvelistv5
Published
2020-11-23 15:30
Modified
2024-09-16 22:40
Severity ?
EPSS score ?
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13 and MongoDB Server v3.6 versions prior to 3.6.15.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-43350 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 3.6 < 3.6.15 Version: 4.0 < 4.0.13 Version: 4.2 < 4.2.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:49:47.720Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-43350"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "3.6.15",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "4.0.13",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "4.2.1",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13 and MongoDB Server v3.6 versions prior to 3.6.15.\u003c/p\u003e"
}
],
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13 and MongoDB Server v3.6 versions prior to 3.6.15."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T14:56:01.571Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-43350"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Crash while joining collections with $lookup",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-30T14:00:00.000Z",
"ID": "CVE-2019-2393",
"STATE": "PUBLIC",
"TITLE": "Crash while joining collections with $lookup"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.15"
},
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.13"
},
{
"version_affected": "\u003c",
"version_name": "4.2",
"version_value": "4.2.1"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-416 Use After Free"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-43350",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-43350"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2019-2393",
"datePublished": "2020-11-23T15:30:24.790968Z",
"dateReserved": "2018-12-10T00:00:00",
"dateUpdated": "2024-09-16T22:40:38.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-8180
Vulnerability from cvelistv5
Published
2017-06-06 18:00
Modified
2024-08-06 13:10
Severity ?
EPSS score ?
Summary
MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:51.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/installation_guide/preparing_your_environment_for_installation#restricting_access_to_mongod"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1301703"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-06T17:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/installation_guide/preparing_your_environment_for_installation#restricting_access_to_mongod"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1301703"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-8180",
"datePublished": "2017-06-06T18:00:00",
"dateReserved": "2014-10-10T00:00:00",
"dateUpdated": "2024-08-06T13:10:51.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20803
Vulnerability from cvelistv5
Published
2020-11-23 17:30
Modified
2024-09-16 21:02
Severity ?
EPSS score ?
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5; MongoDB Server v3.6 versions prior to 3.6.10 and MongoDB Server v3.4 versions prior to 3.4.19.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-38070 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.0 < 4.0.5 Version: 3.6 < 3.6.10 Version: 3.4 < 3.4.19 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:28.295Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-38070"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.0.5",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "3.6.10",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "3.4.19",
"status": "affected",
"version": "3.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5; MongoDB Server v3.6 versions prior to 3.6.10 and\u0026nbsp;MongoDB Server v3.4 versions prior to 3.4.19.\u003c/p\u003e"
}
],
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5; MongoDB Server v3.6 versions prior to 3.6.10 and\u00a0MongoDB Server v3.4 versions prior to 3.4.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T14:24:44.952Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-38070"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Infinite loop in aggregation expression",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-23T17:00:00.000Z",
"ID": "CVE-2018-20803",
"STATE": "PUBLIC",
"TITLE": "Infinite loop in aggregation expression"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.5"
},
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.10"
},
{
"version_affected": "\u003c",
"version_name": "3.4",
"version_value": "3.4.19"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4 versions prior to 3.4.19."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-38070",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-38070"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2018-20803",
"datePublished": "2020-11-23T17:30:14.042305Z",
"dateReserved": "2019-03-15T00:00:00",
"dateUpdated": "2024-09-16T21:02:58.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1409
Vulnerability from cvelistv5
Published
2023-08-23 15:21
Modified
2024-10-02 18:57
Severity ?
EPSS score ?
Summary
If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.
This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc | MongoDB Server |
Version: 6.3 < Version: 5.0 < Version: 4.4 < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.303Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-73662"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-77028"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230921-0007/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T18:57:05.773205Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T18:57:17.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThanOrEqual": "6.3.2",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.0.14",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.4.23",
"status": "affected",
"version": "4.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-08-23T16:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIf the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.\u003c/p\u003e\u003cp\u003eThis issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.\u003c/p\u003e"
}
],
"value": "If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.\n\nThis issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-23T15:21:43.150Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-73662"
},
{
"url": "https://jira.mongodb.org/browse/SERVER-77028"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230921-0007/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Certificate validation issue in MongoDB Server running on Windows or macOS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2023-1409",
"datePublished": "2023-08-23T15:21:43.150Z",
"dateReserved": "2023-03-15T10:43:39.990Z",
"dateUpdated": "2024-10-02T18:57:17.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-4650
Vulnerability from cvelistv5
Published
2013-07-04 10:00
Modified
2024-09-16 23:11
Severity ?
EPSS score ?
Summary
MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a username of __system in an arbitrary database.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-9983 | x_refsource_CONFIRM | |
| http://www.mongodb.org/about/alerts/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:52:26.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-9983"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.mongodb.org/about/alerts/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a username of __system in an arbitrary database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-07-04T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-9983"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.mongodb.org/about/alerts/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4650",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a username of __system in an arbitrary database."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-9983",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-9983"
},
{
"name": "http://www.mongodb.org/about/alerts/",
"refsource": "CONFIRM",
"url": "http://www.mongodb.org/about/alerts/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4650",
"datePublished": "2013-07-04T10:00:00Z",
"dateReserved": "2013-06-24T00:00:00Z",
"dateUpdated": "2024-09-16T23:11:11.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-1892
Vulnerability from cvelistv5
Published
2013-10-01 20:00
Modified
2024-08-06 15:20
Severity ?
EPSS score ?
Summary
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument.
References
| ▼ | URL | Tags |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2013-1170.html | vendor-advisory, x_refsource_REDHAT | |
| http://www.exploit-db.com/exploits/24947 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.openwall.com/lists/oss-security/2013/03/25/9 | mailing-list, x_refsource_MLIST | |
| http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html | vendor-advisory, x_refsource_FEDORA | |
| http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/ | x_refsource_MISC | |
| http://www.exploit-db.com/exploits/24935 | exploit, x_refsource_EXPLOIT-DB | |
| https://jira.mongodb.org/browse/SERVER-9124 | x_refsource_CONFIRM | |
| http://www.mongodb.org/about/alerts/ | x_refsource_CONFIRM | |
| http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101679.html | vendor-advisory, x_refsource_FEDORA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2013:1170",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1170.html"
},
{
"name": "24947",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/24947"
},
{
"name": "[oss-security] 20130325 Re: CVE Request: Mongo DB",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/25/9"
},
{
"name": "FEDORA-2013-4539",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/"
},
{
"name": "24935",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/24935"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-9124"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.mongodb.org/about/alerts/"
},
{
"name": "FEDORA-2013-4531",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101679.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-03-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-12-01T17:26:34",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2013:1170",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1170.html"
},
{
"name": "24947",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/24947"
},
{
"name": "[oss-security] 20130325 Re: CVE Request: Mongo DB",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/25/9"
},
{
"name": "FEDORA-2013-4539",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/"
},
{
"name": "24935",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/24935"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-9124"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.mongodb.org/about/alerts/"
},
{
"name": "FEDORA-2013-4531",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101679.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1892",
"datePublished": "2013-10-01T20:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-7553
Vulnerability from cvelistv5
Published
2024-08-07 09:57
Modified
2024-08-07 15:27
Severity ?
EPSS score ?
Summary
Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1.
Required Configuration:
Only environments with Windows as the underlying operating system is affected by this issue
References
Impacted products
| Vendor | Product | Version | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | MongoDB Inc | MongoDB Server |
Version: 5.0 < 5.0.27 Version: 6.0 < 6.0.16 Version: 7.0 < 7.0.12 Version: 7.3 < 7.3.3 cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:c_driver:0.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.3.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.5.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.5.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.7:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.7.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.8:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.8.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.90.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.92.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.92.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.94.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.94.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.96.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.96.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.96.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.98.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:0.98.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.0.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.0.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.1.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.1.0:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.1.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.1.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.1.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.1.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.1.7:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.1.8:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.1.9:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.1.10:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.1.11:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.2.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.2.0:beta:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.2.0:beta1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.2.0:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.2.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.2.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.2.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.2.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.3.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.3.0:beta0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.3.0:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.3.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.3.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.3.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.3.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.3.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.3.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.4.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.4.0:beta0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.4.0:beta1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.4.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.4.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.4.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.5.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.5.0:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.5.0:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.5.0:rc2:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.5.0:rc3:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.5.0:rc4:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.5.0:rc6:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.5.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.5.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.5.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.5.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.5.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.6.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.6.0:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.6.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.6.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.6.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.7.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.7.0:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.7.0:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.7.0:rc2:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.8.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.8.0:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.8.0:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.8.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.8.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.9.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.9.0:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.9.0:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.9.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.9.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.9.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.9.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.9.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.10.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.10.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.10.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.10.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.11.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.12.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.13.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.13.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.14.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.14.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.15.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.15.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.15.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.15.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.16.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.16.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.16.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.17.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.17.0:beta:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.17.0:beta2:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.17.0:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.17.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.17.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.17.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.17.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.17.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.17.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.17.7:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.18.0:alpha:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.18.0:alpha2:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.18.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.19.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.19.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.19.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.20.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.20.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.21.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.21.0:beta0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.21.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.21.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.22.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.22.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.22.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.23.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.23.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.23.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.23.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.23.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.23.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.24.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.24.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.24.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.24.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.24.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.25.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.25.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.25.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.25.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.25.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.26.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:c_driver:1.26.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.1.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.1.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.1.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.1.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.1.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.1.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.2.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.3.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.3.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.4.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.4.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.5.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.5.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.6.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.6.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.6.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:0.6.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.0.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.0.0:alpha1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.0.0:alpha2:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.0.0:beta1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.0.0:beta2:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.0.0:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.0.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.1.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.1.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.1.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.1.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.1.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.1.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.1.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.1.7:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.1.8:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.1.9:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.1.10:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.0:alpha1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.0:alpha2:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.0:alpha3:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.7:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.8:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.9:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.10:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.2.11:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.3.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.3.0:beta1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.3.0:beta2:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.3.0:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.3.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.3.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.3.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.3.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.4.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.4.0:beta1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.4.0:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.4.0:rc2:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.4.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.4.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.4.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.4.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.5.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.5.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.5.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.5.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.5.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.5.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.6.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.6.0:alpha1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.6.0:alpha2:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.6.0:alpha3:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.6.0:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.6.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.7.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.7.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.7.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.7.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.7.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.7.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.8.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.8.0:beta1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.8.0:beta2:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.8.0:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.8.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.8.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.9.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.9.0:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.9.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.9.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.10.0:alpha1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.10.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.11.0:alpha1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.11.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.11.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.12.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.12.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.13.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.14.0:beta1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.14.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.14.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.14.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.15.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.15.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.15.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.15.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.16.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.16.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.16.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.17.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.17.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.17.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.17.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:php_driver:1.18.0:*:*:*:*:mongodb:*:* |
||||||||
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7553",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T15:27:26.847490Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T15:27:46.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:c_driver:0.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.3.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.5.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.5.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.7:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.7.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.8:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.8.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.90.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.92.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.92.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.94.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.94.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.96.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.96.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.96.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.98.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:0.98.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.0.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.0.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.1.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.1.0:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.1.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.1.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.1.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.1.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.1.7:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.1.8:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.1.9:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.1.10:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.1.11:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.2.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.2.0:beta:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.2.0:beta1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.2.0:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.2.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.2.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.2.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.2.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.3.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.3.0:beta0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.3.0:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.3.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.3.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.3.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.3.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.3.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.3.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.4.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.4.0:beta0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.4.0:beta1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.4.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.4.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.4.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.5.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.5.0:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.5.0:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.5.0:rc2:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.5.0:rc3:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.5.0:rc4:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.5.0:rc6:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.5.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.5.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.5.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.5.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.5.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.6.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.6.0:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.6.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.6.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.6.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.7.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.7.0:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.7.0:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.7.0:rc2:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.8.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.8.0:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.8.0:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.8.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.8.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.9.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.9.0:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.9.0:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.9.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.9.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.9.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.9.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.9.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.10.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.10.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.10.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.10.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.11.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.12.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.13.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.13.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.14.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.14.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.15.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.15.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.15.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.15.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.16.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.16.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.16.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.17.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.17.0:beta:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.17.0:beta2:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.17.0:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.17.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.17.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.17.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.17.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.17.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.17.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.17.7:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.18.0:alpha:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.18.0:alpha2:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.18.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.19.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.19.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.19.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.20.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.20.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.21.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.21.0:beta0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.21.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.21.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.22.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.22.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.22.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.23.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.23.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.23.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.23.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.23.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.23.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.24.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.24.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.24.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.24.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.24.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.25.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.25.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.25.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.25.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.25.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.26.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:c_driver:1.26.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.1.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.1.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.1.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.1.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.1.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.1.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.2.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.3.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.3.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.4.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.4.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.5.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.5.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.6.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.6.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.6.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:0.6.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.0.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.0.0:alpha1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.0.0:alpha2:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.0.0:beta1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.0.0:beta2:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.0.0:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.0.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.1.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.1.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.1.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.1.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.1.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.1.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.1.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.1.7:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.1.8:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.1.9:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.1.10:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.0:alpha1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.0:alpha2:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.0:alpha3:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.7:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.8:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.9:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.10:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.2.11:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.3.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.3.0:beta1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.3.0:beta2:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.3.0:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.3.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.3.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.3.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.3.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.4.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.4.0:beta1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.4.0:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.4.0:rc2:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.4.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.4.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.4.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.4.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.5.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.5.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.5.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.5.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.5.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.5.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.6.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.6.0:alpha1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.6.0:alpha2:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.6.0:alpha3:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.6.0:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.6.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.7.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.7.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.7.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.7.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.7.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.7.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.8.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.8.0:beta1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.8.0:beta2:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.8.0:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.8.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.8.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.9.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.9.0:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.9.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.9.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.10.0:alpha1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.10.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.11.0:alpha1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.11.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.11.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.12.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.12.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.13.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.14.0:beta1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.14.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.14.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.14.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.15.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.15.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.15.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.15.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.16.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.16.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.16.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.17.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.17.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.17.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.17.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:php_driver:1.18.0:*:*:*:*:mongodb:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "5.0.27",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "6.0.16",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.12",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "7.3.3",
"status": "affected",
"version": "7.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MongoDB C Driver",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "1.26.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MongoDB PHP Driver",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "1.18.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: var(--wht);\"\u003eOnly environments with Windows as the underlying operating system is affected by this issue\u003c/span\u003e\u003cbr\u003e\u003ci\u003e\u003cbr\u003e\u003c/i\u003e\u003cbr\u003e"
}
],
"value": "Only environments with Windows as the underlying operating system is affected by this issue"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "T. Do\u011fa Geli\u015fli"
}
],
"datePublic": "2024-08-07T09:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIncorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cp\u003e\u003cb\u003eRequired Configuration:\u003c/b\u003e\u003c/p\u003e\u003cp\u003eOnly environments with Windows as the underlying operating system is affected by this issue\u003c/p\u003e"
}
],
"value": "Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1.\n\nRequired Configuration:\n\nOnly environments with Windows as the underlying operating system is affected by this issue"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T12:51:42.281Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/PHPC-2369"
},
{
"url": "https://jira.mongodb.org/browse/SERVER-93211"
},
{
"url": "https://jira.mongodb.org/browse/CDRIVER-5650"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Accessing Untrusted Directory May Allow Local Privilege Escalation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2024-7553",
"datePublished": "2024-08-07T09:57:49.818Z",
"dateReserved": "2024-08-06T08:34:10.195Z",
"dateUpdated": "2024-08-07T15:27:46.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32040
Vulnerability from cvelistv5
Published
2022-04-12 14:15
Modified
2024-09-16 20:03
Severity ?
EPSS score ?
Summary
It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16.
Workaround: >= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-58203 | x_refsource_MISC | |
| https://jira.mongodb.org/browse/SERVER-59299 | x_refsource_MISC | |
| https://jira.mongodb.org/browse/SERVER-60218 | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220609-0005/ | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 5.0 < 5.0.4 Version: 4.4 < Version: 4.2 < 4.2.16 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:17:29.135Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-58203"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-59299"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-60218"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220609-0005/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mongodb",
"vendor": "mongodb",
"versions": [
{
"lessThan": "5.0.4",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.4.28",
"status": "affected",
"version": "4.4",
"versionType": "custom"
},
{
"lessThan": "4.2.16",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-32040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-23T18:16:37.734248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T17:07:34.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "5.0.4",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.4.28",
"status": "affected",
"version": "4.4",
"versionType": "custom"
},
{
"lessThan": "4.2.16",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-04-11T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIt may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWorkaround:\u0026nbsp;\u0026gt;= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16.\n\nWorkaround:\u00a0\u003e= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T16:04:43.143Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-58203"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-59299"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-60218"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220609-0005/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Large aggregation pipelines with a specific stage can crash mongod under default configuration",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026gt;= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash."
}
],
"value": "\u003e= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2022-04-12T20:00:00.000Z",
"ID": "CVE-2021-32040",
"STATE": "PUBLIC",
"TITLE": "Large aggregation pipelines with a specific stage can crash mongod under default configuration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "5.0",
"version_value": "5.0.4"
},
{
"version_affected": "\u003c",
"version_name": "4.4",
"version_value": "4.4.11"
},
{
"version_affected": "\u003c",
"version_name": "4.2",
"version_value": "4.2.16"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB versions prior to 5.0.4, 4.4.11, 4.2.16."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-58203",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-58203"
},
{
"name": "https://jira.mongodb.org/browse/SERVER-59299",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-59299"
},
{
"name": "https://jira.mongodb.org/browse/SERVER-60218",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-60218"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220609-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220609-0005/"
}
]
},
"source": {
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "\u003e=4.2.16 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2021-32040",
"datePublished": "2022-04-12T14:15:16.692284Z",
"dateReserved": "2021-05-05T00:00:00",
"dateUpdated": "2024-09-16T20:03:21.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-7923
Vulnerability from cvelistv5
Published
2020-08-21 14:25
Modified
2024-09-17 02:27
Severity ?
EPSS score ?
Summary
A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-47773 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.4 < 4.4.0-rc7 Version: 4.2 < 4.2.8 Version: 4.0 < 4.0.19 |
|
|
|||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mongodb",
"vendor": "mongodb",
"versions": [
{
"status": "affected",
"version": "4.4"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-7923",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T18:48:55.411971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:12:12.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:24.552Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-47773"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.4.0-rc7",
"status": "affected",
"version": "4.4",
"versionType": "custom"
},
{
"lessThan": "4.2.8",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "4.0.19",
"status": "affected",
"version": "4.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem\u0027s support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19.\u003c/p\u003e"
}
],
"value": "A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem\u0027s support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T15:13:08.850Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-47773"
}
],
"source": {
"defect": [
"SECURITY-658"
],
"discovery": "INTERNAL"
},
"title": "Specific GeoQuery can cause DoS against MongoDB Server",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-08-21T14:40:00.000Z",
"ID": "CVE-2020-7923",
"STATE": "PUBLIC",
"TITLE": "Specific GeoQuery can cause DoS against MongoDB Server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.4",
"version_value": "4.4.0-rc7"
},
{
"version_affected": "\u003c",
"version_name": "4.2",
"version_value": "4.2.8"
},
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.19"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem\u0027s support for geoNear. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc7; v4.2 versions prior to 4.2.8; v4.0 versions prior to 4.0.19."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-755 Improper Handling of Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-47773",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-47773"
}
]
},
"source": {
"defect": [
"SECURITY-658"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2020-7923",
"datePublished": "2020-08-21T14:25:12.201543Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-17T02:27:47.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-6375
Vulnerability from cvelistv5
Published
2024-07-01 14:40
Modified
2024-08-01 21:33
Severity ?
EPSS score ?
Summary
A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc | MongoDB Server |
Version: 5.0 < 5.0.22 Version: 6.0 < 6.0.11 Version: 7.0 < 7.0.3 cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-01T20:47:45.542385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T20:47:54.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:33:05.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-79327"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "5.0.22",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.3",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-07-01T14:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T14:42:42.637Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-79327"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Missing authorization check may lead to shard key refinement",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2024-6375",
"datePublished": "2024-07-01T14:40:32.566Z",
"dateReserved": "2024-06-27T07:41:56.511Z",
"dateUpdated": "2024-08-01T21:33:05.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-20333
Vulnerability from cvelistv5
Published
2021-07-23 11:25
Modified
2024-09-17 03:08
Severity ?
EPSS score ?
Summary
Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-50605 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 3.6 < 3.6.20 Version: 4.0 < 4.0.21 Version: 4.2 < 4.2.10 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:37:23.864Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-50605"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "3.6.20",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "4.0.21",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "4.2.10",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-22T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10.\u003c/p\u003e"
}
],
"value": "Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T16:15:03.544Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-50605"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Server log entry spoofing via newline injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2021-07-23T16:00:00.000Z",
"ID": "CVE-2021-20333",
"STATE": "PUBLIC",
"TITLE": "Server log entry spoofing via newline injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.20"
},
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.21"
},
{
"version_affected": "\u003c",
"version_name": "4.2",
"version_value": "4.2.10"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21; MongoDB Server v4.2 versions prior to 4.2.10;"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-117 Improper Output Neutralization for Logs"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-50605",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-50605"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2021-20333",
"datePublished": "2021-07-23T11:25:11.191597Z",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-09-17T03:08:05.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20802
Vulnerability from cvelistv5
Published
2020-11-23 15:15
Modified
2024-09-17 02:26
Severity ?
EPSS score ?
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-36993 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 3.6 < 3.6.9 Version: 4.0 < 4.0.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:27.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-36993"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "3.6.9",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "4.0.3",
"status": "affected",
"version": "4.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3.\u003c/p\u003e"
}
],
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-394",
"description": "CWE-394 Unexpected Status Code or Return Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T14:21:20.619Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-36993"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Post-auth queries on compound index may crash mongod",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-30T14:00:00.000Z",
"ID": "CVE-2018-20802",
"STATE": "PUBLIC",
"TITLE": "Post-auth queries on compound index may crash mongod"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.9"
},
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.3"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.9, v4.0 versions prior to 4.0.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-394 Unexpected Status Code or Return Value"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-36993",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-36993"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2018-20802",
"datePublished": "2020-11-23T15:15:18.509747Z",
"dateReserved": "2019-03-15T00:00:00",
"dateUpdated": "2024-09-17T02:26:45.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20805
Vulnerability from cvelistv5
Published
2020-11-23 15:20
Modified
2024-09-17 03:08
Severity ?
EPSS score ?
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch . This issue affects MongoDB Server v4.0 versions prior to 4.0.5 and MongoDB Server v3.6 versions prior to 3.6.10.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-38164 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 3.6 < 3.6.10 Version: 4.0 < 4.0.5 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:27.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-38164"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "3.6.10",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "4.0.5",
"status": "affected",
"version": "4.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch . This issue affects MongoDB Server v4.0 versions prior to 4.0.5 and MongoDB Server v3.6 versions prior to 3.6.10.\u003c/p\u003e"
}
],
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch . This issue affects MongoDB Server v4.0 versions prior to 4.0.5 and MongoDB Server v3.6 versions prior to 3.6.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-834",
"description": "CWE-834 Excessive Iteration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T14:29:21.432Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-38164"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Invariant with $elemMatch",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-30T14:00:00.000Z",
"ID": "CVE-2018-20805",
"STATE": "PUBLIC",
"TITLE": "Invariant with $elemMatch"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.10"
},
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.5"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10. This issue affects: MongoDB Inc. MongoDB Server 3.6 versions prior to 3.6.10; 4.0 versions prior to 4.0.5."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-834 Excessive Iteration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-38164",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-38164"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2018-20805",
"datePublished": "2020-11-23T15:20:13.690425Z",
"dateReserved": "2019-03-15T00:00:00",
"dateUpdated": "2024-09-17T03:08:29.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-2386
Vulnerability from cvelistv5
Published
2019-08-06 18:32
Modified
2024-08-04 18:49
Severity ?
EPSS score ?
Summary
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.
Workaround:
After deleting one or more users, restart any nodes which may have had active user authorization sessions.
Refrain from creating user accounts with the same name as previously deleted accounts.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-38984 | x_refsource_CONFIRM | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.0 < 4.0.9 Version: 3.6 < 3.6.13 Version: 3.4 < 3.4.22 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:49:46.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-38984"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.0.9",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "3.6.13",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "3.4.22",
"status": "affected",
"version": "3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Discovered by Mitch Wasson of Cisco\u0027s Advanced Malware Protection Group."
}
],
"datePublic": "2019-08-06T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAfter user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user\u0027s session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.\u003c/p\u003eWorkaround: \u003cbr\u003e\u003cp\u003eAfter deleting one or more users, restart any nodes which may have had active user authorization sessions.\u003c/p\u003e\u003cp\u003eRefrain from creating user accounts with the same name as previously deleted accounts.\u003c/p\u003e"
}
],
"value": "After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user\u0027s session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.\n\nWorkaround: \nAfter deleting one or more users, restart any nodes which may have had active user authorization sessions.\n\nRefrain from creating user accounts with the same name as previously deleted accounts.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T14:35:15.967Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-38984"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"
}
],
"source": {
"defect": [
"SECURITY-556"
],
"discovery": "EXTERNAL"
},
"title": "Authorization session conflation",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAfter deleting one or more users, restart any nodes which may have had active user authorization sessions.\u003c/p\u003e"
}
],
"value": "After deleting one or more users, restart any nodes which may have had active user authorization sessions.\n\n"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRefrain from creating user accounts with the same name as previously deleted accounts.\u003c/p\u003e"
}
],
"value": "Refrain from creating user accounts with the same name as previously deleted accounts.\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"ID": "CVE-2019-2386",
"STATE": "PUBLIC",
"TITLE": "Authorization session conflation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.9"
},
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.13"
},
{
"version_affected": "\u003c",
"version_name": "3.4",
"version_value": "3.4.22"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Mitch Wasson of Cisco\u0027s Advanced Malware Protection Group."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user\u0027s session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-38984",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-38984"
},
{
"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829",
"refsource": "MISC",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"
}
]
},
"source": {
"defect": [
"SECURITY-556"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "After deleting one or more users, restart any nodes which may have had active user authorization sessions."
},
{
"lang": "en",
"value": "Refrain from creating user accounts with the same name as previously deleted accounts."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2019-2386",
"datePublished": "2019-08-06T18:32:07",
"dateReserved": "2018-12-10T00:00:00",
"dateUpdated": "2024-08-04T18:49:46.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-2389
Vulnerability from cvelistv5
Published
2019-08-30 14:41
Modified
2024-08-04 18:49
Severity ?
EPSS score ?
Summary
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-40563 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.0 < 4.0.11 Version: 3.6 < 3.6.14 Version: 3.4 < 3.4.22 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:49:47.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-40563"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.0.11",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "3.6.14",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "3.4.22",
"status": "affected",
"version": "3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Sicheng Liu of Beijing DBSEC Technology Co., Ltd"
}
],
"datePublic": "2019-08-30T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect scoping of kill operations in MongoDB Server\u0027s packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22."
}
],
"value": "Incorrect scoping of kill operations in MongoDB Server\u0027s packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T14:42:59.502Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-40563"
}
],
"source": {
"defect": [
"SECURITY-567"
],
"discovery": "EXTERNAL"
},
"title": "Process termination via PID file manipulation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"ID": "CVE-2019-2389",
"STATE": "PUBLIC",
"TITLE": "Process termination via PID file manipulation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.11"
},
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.14"
},
{
"version_affected": "\u003c",
"version_name": "3.4",
"version_value": "3.4.22"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Sicheng Liu of Beijing DBSEC Technology Co., Ltd"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect scoping of kill operations in MongoDB Server\u0027s packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.11; v3.6 versions prior to 3.6.14; v3.4 versions prior to 3.4.22."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-732 Incorrect Permission Assignment for Critical Resource"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-40563",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-40563"
}
]
},
"source": {
"defect": [
"SECURITY-567"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2019-2389",
"datePublished": "2019-08-30T14:41:23",
"dateReserved": "2018-12-10T00:00:00",
"dateUpdated": "2024-08-04T18:49:47.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-20326
Vulnerability from cvelistv5
Published
2021-04-30 09:10
Modified
2024-11-19 14:57
Severity ?
EPSS score ?
Summary
A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-53929 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.4 < 4.4.4 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:37:23.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-53929"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-20326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-26T19:08:59.905371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T14:57:30.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.4.4",
"status": "affected",
"version": "4.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Petel"
}
],
"datePublic": "2021-04-29T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4.\u003c/p\u003e"
}
],
"value": "A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T16:22:01.350Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-53929"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Specially crafted query may result in a denial of service of mongod",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2021-04-30T16:00:00.000Z",
"ID": "CVE-2021-20326",
"STATE": "PUBLIC",
"TITLE": "Specially crafted query may result in a denial of service of mongod"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.4",
"version_value": "4.4.4"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Adrien Petel"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.4."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-53929",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-53929"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2021-20326",
"datePublished": "2021-04-30T09:10:13.589111Z",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-11-19T14:57:30.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-2392
Vulnerability from cvelistv5
Published
2020-11-23 15:25
Modified
2024-09-16 17:58
Severity ?
EPSS score ?
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-43699 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 3.6 < 3.6.20 Version: 4.0 < 4.0.20 Version: 4.2 < 4.2.9 Version: 4.4 < 4.4.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:49:48.060Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-43699"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "3.6.20",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "4.0.20",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.\u003c/p\u003e"
}
],
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-12T12:18:26.760Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.mongodb.org/browse/SERVER-43699"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "$mod can result in undefined behavior",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-30T14:00:00.000Z",
"ID": "CVE-2019-2392",
"STATE": "PUBLIC",
"TITLE": "$mod can result in UB"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.20"
},
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.20"
},
{
"version_affected": "\u003c",
"version_name": "4.2",
"version_value": "4.2.9"
},
{
"version_affected": "\u003c",
"version_name": "4.4",
"version_value": "4.4.1"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-190 Integer Overflow or Wraparound"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-43699",
"refsource": "CONFIRM",
"url": "https://jira.mongodb.org/browse/SERVER-43699"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2019-2392",
"datePublished": "2020-11-23T15:25:14.217069Z",
"dateReserved": "2018-12-10T00:00:00",
"dateUpdated": "2024-09-16T17:58:46.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-7928
Vulnerability from cvelistv5
Published
2020-11-23 16:35
Modified
2024-09-17 00:20
Severity ?
EPSS score ?
Summary
A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4.1; MongoDB Server v4.2 versions prior to 4.2.9; MongoDB Server v4.0 versions prior to 4.0.20 and MongoDB Server v3.6 versions prior to 3.6.20.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/SERVER-49404 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | MongoDB Inc. | MongoDB Server |
Version: 4.4 < 4.4.1 Version: 4.2 < 4.2.9 Version: 4.0 < 4.0.20 Version: 3.6 < 3.6.20 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:24.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/SERVER-49404"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.4",
"versionType": "custom"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "4.0.20",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "3.6.20",
"status": "affected",
"version": "3.6",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4.1; MongoDB Server v4.2 versions prior to 4.2.9; MongoDB Server v4.0 versions prior to 4.0.20 and MongoDB Server v3.6 versions prior to 3.6.20.\u003c/p\u003e"
}
],
"value": "A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4.1; MongoDB Server v4.2 versions prior to 4.2.9; MongoDB Server v4.0 versions prior to 4.0.20 and MongoDB Server v3.6 versions prior to 3.6.20."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-158",
"description": "CWE-158: Improper Neutralization of Null Byte or NUL Character",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T15:46:18.372Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.mongodb.org/browse/SERVER-49404"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper neutralization of null byte leads to read overrun",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@mongodb.com",
"DATE_PUBLIC": "2020-11-23T17:20:00.000Z",
"ID": "CVE-2020-7928",
"STATE": "PUBLIC",
"TITLE": "Improper neutralization of null byte leads to read overrun"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MongoDB Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.4",
"version_value": "4.4.1"
},
{
"version_affected": "\u003c",
"version_name": "4.2",
"version_value": "4.2.9"
},
{
"version_affected": "\u003c",
"version_name": "4.0",
"version_value": "4.0.20"
},
{
"version_affected": "\u003c",
"version_name": "3.6",
"version_value": "3.6.20"
}
]
}
}
]
},
"vendor_name": "MongoDB Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-158: Improper Neutralization of Null Byte or NUL Character"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.mongodb.org/browse/SERVER-49404",
"refsource": "MISC",
"url": "https://jira.mongodb.org/browse/SERVER-49404"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2020-7928",
"datePublished": "2020-11-23T16:35:12.958268Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-17T00:20:37.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2013-10-01 20:55
Modified
2024-11-21 01:50
Severity ?
Summary
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mongodb | mongodb | * | |
| mongodb | mongodb | 1.2.0 | |
| mongodb | mongodb | 1.4.0 | |
| mongodb | mongodb | 1.6.0 | |
| mongodb | mongodb | 1.8.0 | |
| mongodb | mongodb | 2.0.0 | |
| mongodb | mongodb | 2.0.1 | |
| mongodb | mongodb | 2.0.2 | |
| mongodb | mongodb | 2.0.3 | |
| mongodb | mongodb | 2.0.4 | |
| mongodb | mongodb | 2.0.5 | |
| mongodb | mongodb | 2.0.6 | |
| mongodb | mongodb | 2.0.7 | |
| mongodb | mongodb | 2.2.0 | |
| mongodb | mongodb | 2.2.1 | |
| mongodb | mongodb | 2.2.2 | |
| mongodb | mongodb | 2.2.3 | |
| redhat | enterprise_mrg | 2.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9828C4F0-141D-45AE-B6A4-1F841BF8389C",
"versionEndIncluding": "2.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2FBA2303-8E19-415F-BD7C-B348DE0EC478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "92948672-3F39-4675-BFB1-4ACACD078CC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A7590AB3-4433-4589-9575-647015A5DA24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EC4562CE-83D2-422C-AB94-CB0EFABC2CF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1B3AD0E-11F2-477E-9D18-B6A609A4C652",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0BC4E1-4BF4-4486-829C-25AA0D01B8D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C36D5752-589C-4323-8515-073DDF89DB9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F63D8331-B0E9-4571-A74C-C13D3D4A13C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB8EA4FF-62DB-40DA-833E-E43F64C79EC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "253B057C-981D-4A8C-B81E-96ACD8C5AF86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3291EEA9-7A79-417D-98FD-1350B4A456D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "9FE04CE4-8D9F-4C56-802A-2F67DF884CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E0F23FE-3AAF-4E29-AF89-C6365E839119",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "37D967E7-87F2-450C-A593-0FEE0F2A9A94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4C6CD236-537A-4144-ACDF-5242D11AE34A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BE7C828E-47B2-46AB-90F1-FD9682188E45",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_mrg:2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "15856E6B-7BF3-4377-8708-574F3F7334D2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument."
},
{
"lang": "es",
"value": "MongoDB anterior a v2.0.9 y v2.2.x anterior a v.2.4 no valida correctamente las peticiones de la funci\u00f3n nativeHelper en SpiderMonkey, lo que permite a usuarios autenticados remotamente provocar una denegaci\u00f3n de servicio (acceso no v\u00e1lido a memoria y ca\u00edda del servidor) o ejecutar c\u00f3digo arbitrario a trav\u00e9s una direcci\u00f3n de memoria manipulada en el primer argumento."
}
],
"id": "CVE-2013-1892",
"lastModified": "2024-11-21T01:50:36.037",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-10-01T20:55:03.513",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101679.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1170.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.exploit-db.com/exploits/24935"
},
{
"source": "secalert@redhat.com",
"url": "http://www.exploit-db.com/exploits/24947"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.mongodb.org/about/alerts/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/03/25/9"
},
{
"source": "secalert@redhat.com",
"url": "https://jira.mongodb.org/browse/SERVER-9124"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101679.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1170.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/24935"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/24947"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.mongodb.org/about/alerts/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/03/25/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://jira.mongodb.org/browse/SERVER-9124"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-03-01 16:15
Modified
2024-11-21 05:38
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-51083 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-51083 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51FC089F-4BF1-4621-A981-60BF88B15B56",
"versionEndExcluding": "3.6.21",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B61A2FF1-19F3-43A8-8163-27E4F1BC267A",
"versionEndExcluding": "4.0.20",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20."
},
{
"lang": "es",
"value": "Un usuario autorizado para llevar a cabo consultas a la base de datos puede desencadenar una denegaci\u00f3n de servicio cuando se emite una consulta especialmente dise\u00f1ada que contenga un tipo de expresi\u00f3n regular.\u0026#xa0;Este problema afecta a: MongoDB Inc. MongoDB Server versiones v3.6 anteriores a 3.6.21 y MongoDB Server versiones v4.0 anteriores a 4.0.20"
}
],
"id": "CVE-2020-7929",
"lastModified": "2024-11-21T05:38:01.850",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-01T16:15:12.747",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-51083"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-51083"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-185"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-23 16:15
Modified
2024-11-21 04:02
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-36993 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-36993 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6879F72E-4204-4097-80B9-97B34048502C",
"versionEndExcluding": "3.6.9",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187B66FE-5103-43E2-9B05-B417C9A066E5",
"versionEndExcluding": "4.0.3",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3."
},
{
"lang": "es",
"value": "Un usuario autorizado que lleva a cabo consultas en la bases de datos puede desencadenar una denegaci\u00f3n de servicio al emitir consultas especialmente dise\u00f1adas con \u00edndices compuestos afectando a QueryPlanner.\u0026#xa0;Este problema afecta a: MongoDB Server de MongoDB Inc versiones v3.6 anteriores a 3.6.9, versiones v4.0 anteriores a 4.0.3"
}
],
"id": "CVE-2018-20802",
"lastModified": "2024-11-21T04:02:12.720",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-23T16:15:12.120",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-36993"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-36993"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-394"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-07 10:15
Modified
2024-09-19 20:46
Severity ?
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1.
Required Configuration:
Only environments with Windows as the underlying operating system is affected by this issue
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/CDRIVER-5650 | Vendor Advisory | |
| cna@mongodb.com | https://jira.mongodb.org/browse/PHPC-2369 | Vendor Advisory | |
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-93211 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D10BC49C-B4A2-41FF-98D3-6BF65E7B4284",
"versionEndExcluding": "5.0.27",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "A045AC0A-471E-444C-B3B0-4CABC23E8CFB",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1511:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "0408DF07-8A1B-47F1-99B2-F2AA77691528",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "5E491E46-1917-41FE-8F9A-BB0BDDEB42C3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1703:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "B98DB3FF-CC3B-4E9F-A9CC-EC4C89AF3B31",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "469F95D3-ABBB-4F1A-A000-BE0F6BD60FF6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "D82F8AF7-ED01-4649-849E-F248F0E02384",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "306B7CE6-8239-4AED-9ED4-4C9F5B349F58",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "5C5B5180-1E12-45C2-8275-B9E528955307",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "0D77EA14-F61D-4B9E-A385-70B88C482116",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_2004:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "F79979F1-4080-460D-8835-6D1066611ABA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_20h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "83C0919F-C4C8-45AE-BDA8-4D88BF0450D5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_21h1:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "ED4D2412-9769-48E3-8A7F-394112FC5B79",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "83A79DD6-E74E-419F-93F1-323B68502633",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "C230D3BF-7FCE-405C-B62E-B9190C995C3C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*",
"matchCriteriaId": "041FF8BA-0B12-4A1F-B4BF-9C4F33B7C1E7",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A4962B5E-0143-497C-9EBB-B5B675D8E461",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "A045AC0A-471E-444C-B3B0-4CABC23E8CFB",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1511:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "0408DF07-8A1B-47F1-99B2-F2AA77691528",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "5E491E46-1917-41FE-8F9A-BB0BDDEB42C3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1703:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "B98DB3FF-CC3B-4E9F-A9CC-EC4C89AF3B31",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "469F95D3-ABBB-4F1A-A000-BE0F6BD60FF6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "D82F8AF7-ED01-4649-849E-F248F0E02384",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "306B7CE6-8239-4AED-9ED4-4C9F5B349F58",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "5C5B5180-1E12-45C2-8275-B9E528955307",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "0D77EA14-F61D-4B9E-A385-70B88C482116",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_2004:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "F79979F1-4080-460D-8835-6D1066611ABA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_20h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "83C0919F-C4C8-45AE-BDA8-4D88BF0450D5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_21h1:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "ED4D2412-9769-48E3-8A7F-394112FC5B79",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "83A79DD6-E74E-419F-93F1-323B68502633",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "C230D3BF-7FCE-405C-B62E-B9190C995C3C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*",
"matchCriteriaId": "041FF8BA-0B12-4A1F-B4BF-9C4F33B7C1E7",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C3F476DE-A977-4F42-8637-833187D807BD",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "006DFE2F-6693-4BFE-AA9C-B535CF2BEC6D",
"versionEndExcluding": "7.3.3",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5200AF17-0458-4315-A9D6-06C8DF67C05B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "0C3552E0-F793-4CDD-965D-457495475805",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "D5EC3F68-8F41-4F6B-B2E5-920322A4A321",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "8E3C1327-F331-4448-A253-00EAC7428317",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*",
"matchCriteriaId": "821614DD-37DD-44E2-A8A4-FE8D23A33C3C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:c_driver:*:*:*:*:*:mongodb:*:*",
"matchCriteriaId": "806BC7F3-24A8-4A50-BA80-04A443407073",
"versionEndExcluding": "1.26.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "A045AC0A-471E-444C-B3B0-4CABC23E8CFB",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1511:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "0408DF07-8A1B-47F1-99B2-F2AA77691528",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "5E491E46-1917-41FE-8F9A-BB0BDDEB42C3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1703:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "B98DB3FF-CC3B-4E9F-A9CC-EC4C89AF3B31",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "469F95D3-ABBB-4F1A-A000-BE0F6BD60FF6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "D82F8AF7-ED01-4649-849E-F248F0E02384",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "306B7CE6-8239-4AED-9ED4-4C9F5B349F58",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "5C5B5180-1E12-45C2-8275-B9E528955307",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "0D77EA14-F61D-4B9E-A385-70B88C482116",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_2004:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "F79979F1-4080-460D-8835-6D1066611ABA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_20h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "83C0919F-C4C8-45AE-BDA8-4D88BF0450D5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_21h1:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "ED4D2412-9769-48E3-8A7F-394112FC5B79",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "83A79DD6-E74E-419F-93F1-323B68502633",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "C230D3BF-7FCE-405C-B62E-B9190C995C3C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5200AF17-0458-4315-A9D6-06C8DF67C05B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "0C3552E0-F793-4CDD-965D-457495475805",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "D5EC3F68-8F41-4F6B-B2E5-920322A4A321",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "8E3C1327-F331-4448-A253-00EAC7428317",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*",
"matchCriteriaId": "041FF8BA-0B12-4A1F-B4BF-9C4F33B7C1E7",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*",
"matchCriteriaId": "821614DD-37DD-44E2-A8A4-FE8D23A33C3C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:php_driver:*:*:*:*:*:mongodb:*:*",
"matchCriteriaId": "604ED63D-4BC1-42DA-97C5-D09239230986",
"versionEndExcluding": "1.18.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "A045AC0A-471E-444C-B3B0-4CABC23E8CFB",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1511:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "0408DF07-8A1B-47F1-99B2-F2AA77691528",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "5E491E46-1917-41FE-8F9A-BB0BDDEB42C3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1703:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "B98DB3FF-CC3B-4E9F-A9CC-EC4C89AF3B31",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "469F95D3-ABBB-4F1A-A000-BE0F6BD60FF6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "D82F8AF7-ED01-4649-849E-F248F0E02384",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "306B7CE6-8239-4AED-9ED4-4C9F5B349F58",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "5C5B5180-1E12-45C2-8275-B9E528955307",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "0D77EA14-F61D-4B9E-A385-70B88C482116",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_2004:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "F79979F1-4080-460D-8835-6D1066611ABA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_20h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "83C0919F-C4C8-45AE-BDA8-4D88BF0450D5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_21h1:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "ED4D2412-9769-48E3-8A7F-394112FC5B79",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "83A79DD6-E74E-419F-93F1-323B68502633",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "C230D3BF-7FCE-405C-B62E-B9190C995C3C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5200AF17-0458-4315-A9D6-06C8DF67C05B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "0C3552E0-F793-4CDD-965D-457495475805",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "D5EC3F68-8F41-4F6B-B2E5-920322A4A321",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:*",
"matchCriteriaId": "8E3C1327-F331-4448-A253-00EAC7428317",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*",
"matchCriteriaId": "041FF8BA-0B12-4A1F-B4BF-9C4F33B7C1E7",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*",
"matchCriteriaId": "821614DD-37DD-44E2-A8A4-FE8D23A33C3C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1.\n\nRequired Configuration:\n\nOnly environments with Windows as the underlying operating system is affected by this issue"
},
{
"lang": "es",
"value": "La validaci\u00f3n incorrecta de archivos cargados desde un directorio local no confiable puede permitir la escalada de privilegios locales si el sistema operativo subyacente es Windows. Esto puede provocar que la aplicaci\u00f3n ejecute un comportamiento arbitrario determinado por el contenido de los archivos no confiables. Este problema afecta a las versiones de MongoDB Server v5.0 anteriores a la 5.0.27, MongoDB Server v6.0 anteriores a la 6.0.16, MongoDB Server v7.0 anteriores a la 7.0.12, MongoDB Server v7.3 anteriores a la 7.3.3, MongoDB C Driver anteriores a la 1.26.2 y MongoDB PHP Driver anteriores a la 1.18.1. Configuraci\u00f3n requerida: este problema solo afecta a los entornos con Windows como sistema operativo subyacente."
}
],
"id": "CVE-2024-7553",
"lastModified": "2024-09-19T20:46:04.103",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-07T10:15:39.493",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/CDRIVER-5650"
},
{
"source": "cna@mongodb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/PHPC-2369"
},
{
"source": "cna@mongodb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-93211"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-04 23:15
Modified
2024-11-21 06:06
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Summary
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-59294 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-59294 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F347D870-DC73-48A2-9D83-339095FD1AC0",
"versionEndExcluding": "4.2.18",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "246D91DC-DC1E-4521-88D5-0915D4152A0A",
"versionEndExcluding": "4.4.10",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F8601A2F-3061-47D5-8E27-5FEC58D25637",
"versionEndExcluding": "5.0.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28"
},
{
"lang": "es",
"value": "Un usuario autenticado sin ninguna autorizaci\u00f3n espec\u00edfica puede ser capaz de invocar repetidamente el comando features donde a un alto volumen puede conllevar a un agotamiento de recursos o generar una alta contenci\u00f3n de bloqueos. Esto puede resultar en una denegaci\u00f3n de servicio y, en casos raros, podr\u00eda resultar en colisiones del campo id"
}
],
"id": "CVE-2021-32036",
"lastModified": "2024-11-21T06:06:45.330",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-04T23:15:11.490",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-59294"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-59294"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-03-30 14:59
Modified
2024-11-21 02:25
Severity ?
Summary
MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCE4594D-0D87-486C-A2C8-97D5378B9347",
"versionEndIncluding": "2.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E60BA295-06A2-418F-9FBC-C8DBB42AA044",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B21D4014-E2DB-4C9C-9491-B77BDA243DCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F742DADE-2B37-47F7-A9E3-4A887710745D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F4F4E4-2B19-4B39-AB83-94036A724E53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E081EE70-D8CA-4BA9-9322-B7AAB5D81577",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "5EE4A696-C8F8-45A8-BD8E-EE641A94D77A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "13CBC60C-9F7E-4635-95EC-46142470CB76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "170A26F4-4FE8-476B-A947-940D1CAAB0A6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request."
},
{
"lang": "es",
"value": "MongoDB anterior a 2.4.13 y 2.6.x anterior a 2.6.8 permite a atacantes remotos causar una denegaci\u00f3n de servicio a trav\u00e9s de una cadena UTF-8 manipulada en una solicitud BSON."
}
],
"id": "CVE-2015-1609",
"lastModified": "2024-11-21T02:25:46.480",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-03-30T14:59:02.210",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152493.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153690.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1034466"
},
{
"source": "cve@mitre.org",
"url": "http://www.splunk.com/view/SP-CAAAPC3"
},
{
"source": "cve@mitre.org",
"url": "https://jira.mongodb.org/browse/SERVER-17264"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/201611-13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152493.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153690.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034466"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.splunk.com/view/SP-CAAAPC3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://jira.mongodb.org/browse/SERVER-17264"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201611-13"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-23 17:15
Modified
2024-11-21 05:38
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4.1; MongoDB Server v4.2 versions prior to 4.2.9; MongoDB Server v4.0 versions prior to 4.0.20 and MongoDB Server v3.6 versions prior to 3.6.20.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-49404 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-49404 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99530195-8709-44C6-B379-152B44BBDCF2",
"versionEndExcluding": "3.6.20",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B61A2FF1-19F3-43A8-8163-27E4F1BC267A",
"versionEndExcluding": "4.0.20",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5705F2A5-0F0D-4E46-A422-6C5BDAEC952F",
"versionEndExcluding": "4.2.9",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23A17215-5D5F-4E8B-A6E9-2108F8489EFF",
"versionEndExcluding": "4.4.1",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60359046-63B7-43E0-86A7-0FB32E365451",
"versionEndExcluding": "4.5.1",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4.1; MongoDB Server v4.2 versions prior to 4.2.9; MongoDB Server v4.0 versions prior to 4.0.20 and MongoDB Server v3.6 versions prior to 3.6.20."
},
{
"lang": "es",
"value": "Un usuario autorizado para realizar consultas de la base de datos puede desencadenar un desbordamiento de lectura y acceder a la memoria arbitraria mediante la emisi\u00f3n de consultas especialmente dise\u00f1adas. Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.4 anteriores a 4.4.1; versiones v4.2 anteriores a 4.2.9; versiones v4.0 anteriores a 4.0.20; versiones v3.6 anteriores a 3.6.20"
}
],
"id": "CVE-2020-7928",
"lastModified": "2024-11-21T05:38:01.733",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-23T17:15:12.797",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-49404"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-49404"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-158"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-03-01 17:15
Modified
2024-11-21 04:03
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-38275 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-38275 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B21BAF3-DD8D-404F-8863-5141E67EBA0F",
"versionEndExcluding": "3.6.11",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C0526DC-3AEB-4EE3-9D18-1DF391565F32",
"versionEndExcluding": "4.0.6",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11."
},
{
"lang": "es",
"value": "Un usuario autorizado para llevar a cabo un tipo espec\u00edfico de consulta puede desencadenar una denegaci\u00f3n de servicio al emitir un comando de explicaci\u00f3n gen\u00e9rico en una consulta de b\u00fasqueda.\u0026#xa0;Este problema afecta a: MongoDB Inc. MongoDB Server versiones v4.0 anteriores a 4.0.6;\u0026#xa0;MongoDB Server versiones v3.6 anteriores a 3.6.11"
}
],
"id": "CVE-2018-25004",
"lastModified": "2024-11-21T04:03:20.397",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-01T17:15:11.717",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-38275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-38275"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-06 18:29
Modified
2024-11-21 02:18
Severity ?
Summary
MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BAC0B430-8851-4203-9F4F-1D3FB9CC5034",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "848C92A9-0677-442B-8D52-A448F2019903",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service."
},
{
"lang": "es",
"value": "MongoDB sobre Red Hat Satellite 6 permite a usuarios locales evitar la autenticaci\u00f3n iniciando sesi\u00f3n con una contrase\u00f1a vac\u00eda y borrar informaci\u00f3n que podr\u00eda causar una denegaci\u00f3n de servicio."
}
],
"id": "CVE-2014-8180",
"lastModified": "2024-11-21T02:18:43.483",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-06T18:29:00.167",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Product"
],
"url": "https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/installation_guide/preparing_your_environment_for_installation#restricting_access_to_mongod"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1301703"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/installation_guide/preparing_your_environment_for_installation#restricting_access_to_mongod"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1301703"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-06 19:15
Modified
2024-11-21 04:40
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.
Workaround:
After deleting one or more users, restart any nodes which may have had active user authorization sessions.
Refrain from creating user accounts with the same name as previously deleted accounts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-38984 | Vendor Advisory | |
| cna@mongodb.com | https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-38984 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56AB583F-49FA-4EBD-A1CD-EB9A0853F8F8",
"versionEndExcluding": "3.4.22",
"versionStartIncluding": "3.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7E74086E-F8F7-438B-8E70-CDF068C7AEE5",
"versionEndExcluding": "3.6.13",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5544C87-6AF1-43C2-A05E-7D714322D4DB",
"versionEndExcluding": "4.0.9",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user\u0027s session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.\n\nWorkaround: \nAfter deleting one or more users, restart any nodes which may have had active user authorization sessions.\n\nRefrain from creating user accounts with the same name as previously deleted accounts.\n\n"
},
{
"lang": "es",
"value": "Despu\u00e9s de la eliminaci\u00f3n del usuario en MongoDB Server, la incomprobaci\u00f3n incorrecta de las sesiones de autorizaci\u00f3n permite que la sesi\u00f3n de usuario autenticada persista y venga combinada con cuentas nuevas, si esas cuentas reutilizan los nombres de las eliminadas. Este problema afecta a: MongoDB Inc. MongoDB Server versiones v4.0 anteriores a 4.0.9; versiones v3.6 anteriores a 3.6.13; versiones v3.4 anteriores a 3.4.22."
}
],
"id": "CVE-2019-2386",
"lastModified": "2024-11-21T04:40:46.327",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-06T19:15:13.613",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-38984"
},
{
"source": "cna@mongodb.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-38984"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-07-04 14:33
Modified
2024-11-21 01:55
Severity ?
Summary
MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a username of __system in an arbitrary database.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB2A001B-D790-4DEA-9420-6BD18F1D0BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AD7C03C0-5B7B-4808-8F50-1D5517CEF61F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C37483C2-DA83-4BE4-9960-5A691661670B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "039B2CC3-CB74-4ADE-BEEF-65A5A0C4F6E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "86DB7435-C47E-426E-B3A6-216089F4CCAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D142852D-DF64-4AE5-97A4-FAA0EF3A8AB8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a username of __system in an arbitrary database."
},
{
"lang": "es",
"value": "MongoDB v2.4.x anterior a v2.4.5 y v2.5.x anterior a v2.5.1 permite a usuarios autenticados remotamente obtener privilegios aprovechando el nombre de usuario de __sytem en cualquier base de datos."
}
],
"id": "CVE-2013-4650",
"lastModified": "2024-11-21T01:55:59.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-07-04T14:33:41.667",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.mongodb.org/about/alerts/"
},
{
"source": "cve@mitre.org",
"url": "https://jira.mongodb.org/browse/SERVER-9983"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mongodb.org/about/alerts/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://jira.mongodb.org/browse/SERVER-9983"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-12 15:15
Modified
2024-11-21 06:06
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16.
Workaround: >= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-58203 | Issue Tracking, Patch, Vendor Advisory | |
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-59299 | Issue Tracking, Patch, Vendor Advisory | |
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-60218 | Issue Tracking, Patch, Vendor Advisory | |
| cna@mongodb.com | https://security.netapp.com/advisory/ntap-20220609-0005/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-58203 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-59299 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-60218 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20220609-0005/ | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E9E9B009-9C50-4181-BF09-5A62CC2A69F2",
"versionEndExcluding": "4.2.16",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "63C08E83-4BD2-413A-BEC3-8CC895A66A1C",
"versionEndExcluding": "4.4.11",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F8601A2F-3061-47D5-8E27-5FEC58D25637",
"versionEndExcluding": "5.0.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16.\n\nWorkaround:\u00a0\u003e= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash."
},
{
"lang": "es",
"value": "Puede ser posible tener una tuber\u00eda de agregaci\u00f3n extremadamente larga en conjunto con una etapa/operador espec\u00edfico y causar un desbordamiento de pila debido al tama\u00f1o de los marcos de pila usados por esa etapa. Si un atacante pudiera causar tal agregaci\u00f3n, podr\u00eda colapsar MongoDB de forma maliciosa en un ataque DoS. Esta vulnerabilidad afecta a MongoDB versiones anteriores a 5.0.4, 4.4.11 y 4.2.16"
}
],
"id": "CVE-2021-32040",
"lastModified": "2024-11-21T06:06:45.747",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-12T15:15:07.707",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-58203"
},
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-59299"
},
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-60218"
},
{
"source": "cna@mongodb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220609-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-58203"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-59299"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-60218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220609-0005/"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-121"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-21 11:15
Modified
2024-11-21 06:50
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-63968 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-63968 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A8485884-BDAA-4D4B-81BF-039B50E6A25C",
"versionEndIncluding": "5.0.6",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6."
},
{
"lang": "es",
"value": "Un usuario autenticado puede desencadenar una aserci\u00f3n invariante durante el env\u00edo de comandos debido a una validaci\u00f3n incorrecta en la base de datos $external. Esto puede dar lugar a una denegaci\u00f3n de servicio mongod o a la ca\u00edda del servidor. Este problema afecta a: MongoDB Inc. las versiones del servidor MongoDB v5.0, anteriores a la v5.0.6 inclusive"
}
],
"id": "CVE-2022-24272",
"lastModified": "2024-11-21T06:50:04.663",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-21T11:15:08.273",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-63968"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-63968"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-617"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-617"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-23 15:15
Modified
2024-11-21 05:38
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc12; MongoDB Server v4.2 versions prior to 4.2.9.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-49142 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-49142 | Issue Tracking, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5705F2A5-0F0D-4E46-A422-6C5BDAEC952F",
"versionEndExcluding": "4.2.9",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:4.4.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "BF2A35D2-1B6C-4078-8BC1-80C82228B7B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:4.4.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "489CEAC3-50D9-455C-9C09-E6777E673939",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:4.4.0:rc11:*:*:*:*:*:*",
"matchCriteriaId": "A6A05675-76B6-413C-9091-D58A8C5FD132",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:4.4.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1C22231F-287E-429D-B6C8-79D7663DA6BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:4.4.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "8715F9E2-6853-4C39-86BB-930D86750627",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:4.4.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "189659E7-4120-433A-9B3E-D7F6DEA5E1E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:4.4.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "060EAC03-3F8E-419C-8E51-F1604676F50A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:4.4.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "D72DBC1F-53C5-45E5-A81F-5FD1E7160226",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:4.4.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "C1C6E555-F16F-45F3-9670-79B90BC663C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:4.4.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "D7CE58B9-4D03-4699-BCEE-66AF65260D95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:4.4.0:rc9:*:*:*:*:*:*",
"matchCriteriaId": "B0C6031C-0830-46D0-B27F-C754FDFABB29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc12; MongoDB Server v4.2 versions prior to 4.2.9."
},
{
"lang": "es",
"value": "Una comprobaci\u00f3n inapropiada de la entrada del usuario en el analizador de nombres de funciones puede conllevar al uso de memoria no inicializada, permitiendo a un atacante no autenticado usar una petici\u00f3n especialmente dise\u00f1ada para causar una denegaci\u00f3n de servicio.\u0026#xa0;Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.4 anteriores a 4.4.0-rc12;\u0026#xa0;versiones v4.2 anteriores a 4.2.9"
}
],
"id": "CVE-2020-7925",
"lastModified": "2024-11-21T05:38:01.387",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-23T15:15:11.543",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-49142"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-49142"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-475"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-11-01 01:29
Modified
2024-11-21 03:14
Severity ?
Summary
MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/101689 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://jira.mongodb.org/browse/SERVER-31273 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/101689 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-31273 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC15E8B4-0238-40AE-9BF2-C18DEB922790",
"versionEndExcluding": "3.4.10",
"versionStartIncluding": "3.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory."
},
{
"lang": "es",
"value": "MongoDB, en versiones 3.4.x anteriores a la 3.4.10, y desarrollos 3.5.x, tiene un ajuste de configuraci\u00f3n deshabilitado por defecto, networkMessageCompressors (tambi\u00e9n conocido como wire protocol compression), que expone una vulnerabilidad cuando se habilita que podr\u00eda ser explotada por atacantes maliciosos con el fin de provocar una denegaci\u00f3n de servicio o modificar memoria."
}
],
"id": "CVE-2017-15535",
"lastModified": "2024-11-21T03:14:44.250",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-01T01:29:00.637",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/101689"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-31273"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/101689"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-31273"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-20 15:15
Modified
2024-11-21 06:06
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://github.com/mongodb-js/vscode/releases/tag/v0.8.0 | Release Notes, Third Party Advisory | |
| cna@mongodb.com | https://jira.mongodb.org/browse/VSCODE-313 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mongodb-js/vscode/releases/tag/v0.8.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/VSCODE-313 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:visual_studio_code:*:*",
"matchCriteriaId": "AEB1AC25-4CF2-44D8-9EDA-4BA317A65158",
"versionEndIncluding": "0.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0"
},
{
"lang": "es",
"value": "Los usuarios con acceso apropiado a los archivos pueden ser capaces de acceder a las credenciales de usuario sin cifrar guardadas por MongoDB Extension for VS Code en un archivo binario. Estas credenciales pueden ser usadas por atacantes maliciosos para llevar a cabo acciones no autorizadas. Esta vulnerabilidad afecta a todas las extensiones de MongoDB para VS Code incluida y anterior a versi\u00f3n 0.7.0"
}
],
"id": "CVE-2021-32039",
"lastModified": "2024-11-21T06:06:45.610",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-20T15:15:07.893",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0"
},
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/VSCODE-313"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/VSCODE-313"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-07-06 13:29
Modified
2024-11-21 03:23
Severity ?
4.8 (Medium) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
7.0 (High) - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.0 (High) - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. Any local user who has access to system running skyring service will be able to get password in plain text.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://www.securityfocus.com/bid/97612 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2665 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97612 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2665 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mongodb | mongodb | - | |
| redhat | storage_console | 2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:-:*:*:*:*:*:*:*",
"matchCriteriaId": "54A50102-AB27-4077-A7B3-0E74EA1021F9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:storage_console:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E916298F-E4F3-49FB-92DA-C92013188C44",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. Any local user who has access to system running skyring service will be able to get password in plain text."
},
{
"lang": "es",
"value": "El comando skyring-setup crea contrase\u00f1as aleatorias para la base de datos mongodb de skyring, pero escribe contrase\u00f1as en texto plano en el archivo /etc/skyring/skyring.conf, propiedad de root, pero le\u00eddo por un usuario local. Cualquier usuario local que tenga acceso al sistema que ejecuta el servicio skyring ser\u00e1 capaz de obtener la contrase\u00f1a en texto plano."
}
],
"id": "CVE-2017-2665",
"lastModified": "2024-11-21T03:23:56.060",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 1.3,
"impactScore": 3.4,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-06T13:29:00.217",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97612"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2665"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97612"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2665"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-24 11:15
Modified
2024-11-21 04:39
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-43751 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-43751 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB29E1D7-7E63-4038-9F3E-4787B8BE0761",
"versionEndExcluding": "3.4.24",
"versionStartIncluding": "3.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "295BD300-FE65-4A87-A3E6-2B7CA845FD52",
"versionEndExcluding": "3.6.15",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6052EEF-CD59-4E96-9C8F-054245771F62",
"versionEndExcluding": "4.0.13",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92555477-B2C9-486C-8583-42C407047811",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24."
},
{
"lang": "es",
"value": "Un cliente no autenticado puede desencadenar una denegaci\u00f3n de servicio al emitir mensajes de protocolo de cable especialmente dise\u00f1ados, lo que causa a un descompresor de mensajes asignar memoria de manera incorrecta.\u0026#xa0;Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.2 anteriores a 4.2.1;\u0026#xa0;versiones v4.0 anteriores a 4.0.13;\u0026#xa0;versiones v3.6 anteriores a 3.6.15;\u0026#xa0;versiones v3.4 anteriores a 3.4.24"
}
],
"id": "CVE-2019-20925",
"lastModified": "2024-11-21T04:39:42.280",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-24T11:15:10.607",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-43751"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-43751"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-839"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-697"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-12-15 13:15
Modified
2024-11-21 05:46
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-36263 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-36263 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50CB3881-049A-46F5-BBB4-21DCF2466D49",
"versionEndExcluding": "4.0.25",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "66EE5895-9252-49DE-810E-586E1AC484ED",
"versionEndExcluding": "4.2.14",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "177D5982-E1C3-42F0-B2E8-3345EB8C22F2",
"versionEndExcluding": "4.4.6",
"versionStartIncluding": "4.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9."
},
{
"lang": "es",
"value": "Un atacante con permisos CRUD b\u00e1sicos en una colecci\u00f3n replicada puede ejecutar el comando applyOps con entradas oplog especialmente malformadas, resultando en una potencial denegaci\u00f3n de servicio en los secundarios. Este problema afecta a las versiones de MongoDB Server v4.0 anteriores a 4.0.25; a las versiones de MongoDB Server v4.2 anteriores a 4.2.14; a las versiones de MongoDB Server v4.4 anteriores a 4.4.6"
}
],
"id": "CVE-2021-20330",
"lastModified": "2024-11-21T05:46:23.563",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-15T13:15:07.633",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-36263"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-36263"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-23 15:15
Modified
2024-11-21 05:38
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects MongoDB Server v4.4 versions prior to 4.4.1. Versions before 4.4 are not affected.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-50170 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-50170 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23A17215-5D5F-4E8B-A6E9-2108F8489EFF",
"versionEndExcluding": "4.4.1",
"versionStartIncluding": "4.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects MongoDB Server v4.4 versions prior to 4.4.1. Versions before 4.4 are not affected."
},
{
"lang": "es",
"value": "Un usuario autorizado que lleva a cabo consultas en la base de datos puede causar una denegaci\u00f3n de servicio al emitir una consulta especialmente dise\u00f1ada que viola una invariante en el subsistema de selecci\u00f3n del servidor.\u0026#xa0;Este problema afecta a: MongoDB Server versiones 4.4 anteriores a 4.4.1.\u0026#xa0;Unas versiones anteriores a 4.4 no est\u00e1n afectadas"
}
],
"id": "CVE-2020-7926",
"lastModified": "2024-11-21T05:38:01.510",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-23T15:15:11.667",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-50170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-50170"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-10-21 15:15
Modified
2024-11-07 15:38
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions prior to 7.0.13 and MongoDB Server v7.3 versions prior to 7.3.4
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-92382 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*",
"matchCriteriaId": "570BED76-46EA-45C0-8031-6E78DF9EC047",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*",
"matchCriteriaId": "5AAB2B33-6144-4453-85DC-8705E6385F90",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*",
"matchCriteriaId": "72C3D6A6-E626-40F5-BB24-F9CC021D9598",
"versionEndExcluding": "7.3.4",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions prior to 7.0.13 and MongoDB Server v7.3 versions prior to 7.3.4"
},
{
"lang": "es",
"value": "El \u00edndice prepareUnique puede provocar que los secundarios se bloqueen debido a la aplicaci\u00f3n incorrecta de restricciones de \u00edndice en los secundarios, lo que en casos extremos puede provocar que varios secundarios se bloqueen y no haya primarios. Este problema afecta a las versiones de MongoDB Server v6.0 anteriores a la 6.0.17, a las versiones de MongoDB Server v7.0 anteriores a la 7.0.13 y a las versiones de MongoDB Server v7.3 anteriores a la 7.3.4."
}
],
"id": "CVE-2024-8305",
"lastModified": "2024-11-07T15:38:32.323",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-21T15:15:04.030",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-92382"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1288"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-23 12:15
Modified
2024-11-21 05:46
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-50605 | Exploit, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-50605 | Exploit, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99530195-8709-44C6-B379-152B44BBDCF2",
"versionEndExcluding": "3.6.20",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B59FB7CB-B181-44FF-9958-00F7AC57E1F2",
"versionEndExcluding": "4.0.21",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5A85B5C0-C956-4A0F-AE27-61B5597CDEB2",
"versionEndExcluding": "4.2.10",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10."
},
{
"lang": "es",
"value": "Mediante el env\u00edo de comandos especialmente dise\u00f1ados a MongoDB Server puede resultar en la generaci\u00f3n de entradas de registro artificiales o para que las entradas de registro se divididan. Este problema afecta a versiones de MongoDB Server v3.6 anteriores a 3.6.20; versiones de MongoDB Server v4.0 anteriores a 4.0.21; versiones de MongoDB Server v4.2 anteriores a 4.2.10"
}
],
"id": "CVE-2021-20333",
"lastModified": "2024-11-21T05:46:24.000",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-23T12:15:08.453",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-50605"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-50605"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-117"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-23 18:15
Modified
2024-11-21 04:02
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5; MongoDB Server v3.6 versions prior to 3.6.10 and MongoDB Server v3.4 versions prior to 3.4.19.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-38070 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-38070 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BC313D5-D778-4C35-B9E6-05245F490010",
"versionEndExcluding": "3.4.19",
"versionStartIncluding": "3.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7BA25B25-D37C-45F8-9F21-D7C90FC55C3D",
"versionEndExcluding": "3.6.10",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6F89DDA-DD36-41D2-B4C0-4A25DB322B0F",
"versionEndExcluding": "4.0.5",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5; MongoDB Server v3.6 versions prior to 3.6.10 and\u00a0MongoDB Server v3.4 versions prior to 3.4.19."
},
{
"lang": "es",
"value": "Un usuario autorizado para realizar consultas en la base de datos puede desencadenar una denegaci\u00f3n de servicio al emitir consultas especialmente dise\u00f1adas, que se repiten indefinidamente en el procesamiento matem\u00e1tico mientras retienen bloqueos.\u0026#xa0;Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.0 anteriores a 4.0.5;\u0026#xa0;versiones v3.6 anteriores a 3.6.10;\u0026#xa0;versiones v3.4 anteriores a 3.4.19"
}
],
"id": "CVE-2018-20803",
"lastModified": "2024-11-21T04:02:12.850",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-23T18:15:10.797",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-38070"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-38070"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-23 16:15
Modified
2024-11-21 04:02
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and MongoDB Server v3.6 versions prior to 3.6.13.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-35636 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-35636 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7E74086E-F8F7-438B-8E70-CDF068C7AEE5",
"versionEndExcluding": "3.6.13",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "89BB7793-2ADB-4B05-B103-9EB696C6946B",
"versionEndExcluding": "4.0.10",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and\u00a0MongoDB Server v3.6 versions prior to 3.6.13."
},
{
"lang": "es",
"value": "Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegaci\u00f3n de servicio al emitir invocaciones de applyOps especialmente dise\u00f1adas.\u0026#xa0;Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.0 anteriores a 4.0.10;\u0026#xa0;versiones v3.6 anteriores a 3.6.13"
}
],
"id": "CVE-2018-20804",
"lastModified": "2024-11-21T04:02:12.990",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-23T16:15:12.197",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-35636"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-35636"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-10-01 20:55
Modified
2024-11-21 01:54
Severity ?
Summary
The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB2A001B-D790-4DEA-9420-6BD18F1D0BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AD7C03C0-5B7B-4808-8F50-1D5517CEF61F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C37483C2-DA83-4BE4-9960-5A691661670B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "039B2CC3-CB74-4ADE-BEEF-65A5A0C4F6E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "86DB7435-C47E-426E-B3A6-216089F4CCAD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object."
},
{
"lang": "es",
"value": "Find prototype en scripting/engine_v8.h en MongoDB 2.4.0 hasta 2.4.4 permite a usuarios autenticados remotos causar una denegaci\u00f3n de servicio (referencia a puntero no inicializado y ca\u00edda del servidor) o posiblemente ejecutar c\u00f3digo a discrecci\u00f3n a trav\u00e9s de un objeto RefDB inv\u00e1lido."
}
],
"id": "CVE-2013-3969",
"lastModified": "2024-11-21T01:54:38.347",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-10-01T20:55:33.687",
"references": [
{
"source": "cve@mitre.org",
"url": "http://blog.scrt.ch/2013/06/04/mongodb-rce-by-databasespraying/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/54170"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.mongodb.org/about/alerts/"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2013/07/30/10"
},
{
"source": "cve@mitre.org",
"url": "https://jira.mongodb.org/browse/SERVER-9878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://blog.scrt.ch/2013/06/04/mongodb-rce-by-databasespraying/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/54170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.mongodb.org/about/alerts/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/07/30/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://jira.mongodb.org/browse/SERVER-9878"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-13 15:15
Modified
2024-11-21 09:49
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
"Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "97040FB6-7E95-4407-998C-BBB4D80654AD",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "CCCE67E2-B4AD-4375-9045-4A702B1D1056",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "ACB90095-374D-427A-899E-1607155BB924",
"versionEndExcluding": "7.3.3",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\"Hot\" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3"
},
{
"lang": "es",
"value": "Los usuarios desfavorecidos pueden descargar archivos de copia de seguridad \"calientes\", si son capaces de adquirir un identificador de copia de seguridad \u00fanico. Este problema afecta a las versiones de MongoDB Enterprise Server v6.0 anteriores a 6.0.16, a las versiones de MongoDB Enterprise Server v7.0 anteriores a 7.0.11 y a las versiones de MongoDB Enterprise Server v7.3 anteriores a 7.3.3."
}
],
"id": "CVE-2024-6384",
"lastModified": "2024-11-21T09:49:32.613",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-13T15:15:18.567",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-93516"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20241115-0001/"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-30 09:15
Modified
2024-11-21 05:46
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-53929 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-53929 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E65DD489-2A15-4B99-87CC-D27C78DF0853",
"versionEndExcluding": "4.4.4",
"versionStartIncluding": "4.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4."
},
{
"lang": "es",
"value": "Un usuario autorizado para llevar a cabo un tipo espec\u00edfico de consulta de b\u00fasqueda puede desencadenar una denegaci\u00f3n de servicio.\u0026#xa0;Este problema afecta a: MongoDB Inc. MongoDB Server versiones v4.4 anteriores a la 4.4.4."
}
],
"id": "CVE-2021-20326",
"lastModified": "2024-11-21T05:46:23.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-30T09:15:07.597",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-53929"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-53929"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-24 16:15
Modified
2024-11-21 06:06
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-59071 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-59071 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6CB61155-B25B-4C43-B9E9-FE51A098F199",
"versionEndIncluding": "5.0.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.2."
},
{
"lang": "es",
"value": "Un usuario autorizado puede desencadenar una invariante que puede resultar en una denegaci\u00f3n de servicio o a la salida del servidor si se env\u00eda una petici\u00f3n de agregaci\u00f3n relevante a un shard. Normalmente, las peticiones se env\u00edan por medio de mongos y son requeridos privilegios especiales para conocer la direcci\u00f3n de los shards y para iniciar sesi\u00f3n en los shards de un entorno habilitado para la autenticaci\u00f3n."
}
],
"id": "CVE-2021-32037",
"lastModified": "2024-11-21T06:06:45.473",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-24T16:15:13.593",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-59071"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-59071"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-617"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-617"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-27 12:15
Modified
2024-08-30 13:07
Severity ?
6.4 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
6.7 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.7 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3.
Required Configuration: Only environments with Linux as the underlying operating system is affected by this issue
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-69507 | Issue Tracking, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C22679CF-5E4F-4A7A-8855-915928295EF2",
"versionEndExcluding": "5.0.14",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3E92A1-1692-4E56-8897-02B6CA6FC765",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BAE48748-BDF1-408B-9F8B-81353590F070",
"versionEndExcluding": "6.1.1",
"versionStartIncluding": "6.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
"matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3.\n\nRequired Configuration: Only environments with Linux as the underlying operating system is affected by this issue"
},
{
"lang": "es",
"value": "En ciertas configuraciones altamente espec\u00edficas del sistema host y la instalaci\u00f3n binaria del servidor MongoDB en sistemas operativos Linux, es posible que un actor no intencionado con acceso a nivel de host haga que el binario del servidor MongoDB cargue bibliotecas compartidas controladas por el actor no intencionado cuando el binario del servidor se inicia, lo que potencialmente resulta en que el actor no deseado obtenga control total sobre el proceso del servidor MongoDB. Este problema afecta a las versiones de MongoDB Server v5.0 anteriores a la 5.0.14 y a las versiones de MongoDB Server v6.0 anteriores a la 6.0.3. Configuraci\u00f3n requerida: este problema solo afecta los entornos con Linux como sistema operativo subyacente."
}
],
"id": "CVE-2024-8207",
"lastModified": "2024-08-30T13:07:46.613",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.9,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-27T12:15:04.227",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-69507"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-114"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-610"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-08-23 16:15
Modified
2024-11-21 07:39
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.
This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-73662 | Issue Tracking, Patch, Vendor Advisory | |
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-77028 | Issue Tracking, Patch, Vendor Advisory | |
| cna@mongodb.com | https://security.netapp.com/advisory/ntap-20230921-0007/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-73662 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-77028 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20230921-0007/ |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8FB74004-16AF-45A0-B0CF-01F9E9BD9E42",
"versionEndExcluding": "4.4.23",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E31A2BB4-0F80-4279-BA4A-E19A73EF4532",
"versionEndIncluding": "5.0.14",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86EBA767-37C3-42D3-91CC-FB816C097399",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D9293CA6-B1FF-4602-AECD-5E7025AF2894",
"versionEndIncluding": "6.3.2",
"versionStartIncluding": "6.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.\n\nThis issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.\n\n"
}
],
"id": "CVE-2023-1409",
"lastModified": "2024-11-21T07:39:08.080",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-23T16:15:08.167",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-73662"
},
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-77028"
},
{
"source": "cna@mongodb.com",
"url": "https://security.netapp.com/advisory/ntap-20230921-0007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-73662"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-77028"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230921-0007/"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-19 16:15
Modified
2024-11-21 02:37
Severity ?
8.1 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://jira.mongodb.org/browse/SERVER-20691 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-20691 | Exploit, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0F239D53-40C3-4477-A5BC-62CC98139672",
"versionEndIncluding": "3.0.6",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access."
},
{
"lang": "es",
"value": "El manejo inapropiado de la autenticaci\u00f3n LDAP en MongoDB Server versiones 3.0.0 hasta 3.0.6, permite a un cliente no autenticado conseguir acceso no autorizado."
}
],
"id": "CVE-2015-7882",
"lastModified": "2024-11-21T02:37:35.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-19T16:15:11.930",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-20691"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-20691"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-10-03 18:59
Modified
2024-11-21 02:56
Severity ?
Summary
The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1A2D34F9-FBC8-477D-B7B6-620597C2476C",
"versionEndExcluding": "3.0.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6587C16E-A810-4110-AFEF-F97BF27040B0",
"versionEndExcluding": "3.2.14",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A37D6883-E16A-46B1-ADBE-4F7E8EB7BD54",
"versionEndExcluding": "3.3.14",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*",
"matchCriteriaId": "772E9557-A371-4664-AE2D-4135AAEB89AA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files."
},
{
"lang": "es",
"value": "El cliente en MongoDB utiliza permisos accesibles a todos en archivos hist\u00f3ricos .dbshell, lo que podr\u00eda permitir a usuarios locales obtener informaci\u00f3n sensible leyendo estos archivos."
}
],
"id": "CVE-2016-6494",
"lastModified": "2024-11-21T02:56:13.820",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-10-03T18:59:10.523",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/07/29/4"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/07/29/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92204"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1362553"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/mongodb/mongo/commit/035cf2afc04988b22cb67f4ebfd77e9b344cb6e0"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://jira.mongodb.org/browse/SERVER-25335"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5MCE2ZLFBNOK3TTWSTXZJQGZVP4EEJDL/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/07/29/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/07/29/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92204"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1362553"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/mongodb/mongo/commit/035cf2afc04988b22cb67f4ebfd77e9b344cb6e0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://jira.mongodb.org/browse/SERVER-25335"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5MCE2ZLFBNOK3TTWSTXZJQGZVP4EEJDL/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-14 18:59
Modified
2024-11-21 02:49
Severity ?
Summary
mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://www.securityfocus.com/bid/94929 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1324496 | Issue Tracking, Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://jira.mongodb.org/browse/SERVER-24378 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94929 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1324496 | Issue Tracking, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-24378 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB2A001B-D790-4DEA-9420-6BD18F1D0BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E60BA295-06A2-418F-9FBC-C8DBB42AA044",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database."
},
{
"lang": "es",
"value": "Mongod en MongoDB 2.6, cuando se utilizan usuarios de estilo 2.4 y 2.4 permiten a los atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de memoria y terminaci\u00f3n del proceso) aprovechando la representaci\u00f3n de la base de datos en memoria al autenticarse en una base de datos inexistente."
}
],
"id": "CVE-2016-3104",
"lastModified": "2024-11-21T02:49:23.283",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-14T18:59:00.250",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94929"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1324496"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-24378"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94929"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1324496"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-24378"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-06 15:55
Modified
2024-11-21 01:46
Severity ?
Summary
The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mongodb | mongodb | * | |
| mongodb | mongodb | 1.2.0 | |
| mongodb | mongodb | 1.4.0 | |
| mongodb | mongodb | 1.6.0 | |
| mongodb | mongodb | 1.8.0 | |
| mongodb | mongodb | 2.0.0 | |
| mongodb | mongodb | 2.0.1 | |
| mongodb | mongodb | 2.0.2 | |
| mongodb | mongodb | 2.0.3 | |
| mongodb | mongodb | 2.0.4 | |
| mongodb | mongodb | 2.0.5 | |
| mongodb | mongodb | 2.0.6 | |
| mongodb | mongodb | 2.0.7 | |
| mongodb | mongodb | 2.0.8 | |
| mongodb | mongodb | 2.2.0 | |
| mongodb | mongodb | 2.2.1 | |
| mongodb | mongodb | 2.2.2 | |
| mongodb | mongodb | 2.2.3 | |
| mongodb | mongodb | 2.2.4 | |
| mongodb | mongodb | 2.2.5 | |
| mongodb | mongodb | 2.2.6 | |
| mongodb | mongodb | 2.2.7 | |
| mongodb | mongodb | 2.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94A44EAA-983E-4625-A35D-EE2FE116B3B5",
"versionEndIncluding": "2.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2FBA2303-8E19-415F-BD7C-B348DE0EC478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "92948672-3F39-4675-BFB1-4ACACD078CC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A7590AB3-4433-4589-9575-647015A5DA24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EC4562CE-83D2-422C-AB94-CB0EFABC2CF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1B3AD0E-11F2-477E-9D18-B6A609A4C652",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0BC4E1-4BF4-4486-829C-25AA0D01B8D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C36D5752-589C-4323-8515-073DDF89DB9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F63D8331-B0E9-4571-A74C-C13D3D4A13C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB8EA4FF-62DB-40DA-833E-E43F64C79EC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "253B057C-981D-4A8C-B81E-96ACD8C5AF86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3291EEA9-7A79-417D-98FD-1350B4A456D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "9FE04CE4-8D9F-4C56-802A-2F67DF884CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "02C47DC1-A725-460C-9EBB-5DAA616DF374",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E0F23FE-3AAF-4E29-AF89-C6365E839119",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "37D967E7-87F2-450C-A593-0FEE0F2A9A94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4C6CD236-537A-4144-ACDF-5242D11AE34A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BE7C828E-47B2-46AB-90F1-FD9682188E45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F2EDBDF4-2F0A-409A-A881-E94AC0A77A85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "185A7242-0393-4DE1-B781-7D3FA68750A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "98387C88-695E-4948-9FB4-E3D5234647E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "7B093A56-8E36-47C7-BE3C-F72FAC5CEC14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D0A29408-7294-4A11-A77D-9CFCF9FD54AB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read."
},
{
"lang": "es",
"value": "La configuraci\u00f3n por defecto para MongoDB anterior a 2.3.2 no valida objetos, lo que permite a usuarios remotos autenticados causar una denegaci\u00f3n de servicio (ca\u00edda) o leer la memoria del sistema a trav\u00e9s de un objeto BSON manipulado en el nombre de columna en un comando \"insert\", lo que provoca una sobrelectura de buffer."
}
],
"id": "CVE-2012-6619",
"lastModified": "2024-11-21T01:46:31.167",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-06T15:55:28.737",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://blog.ptsecurity.com/2012/11/attacking-mongodb.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0230.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0440.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2014/01/07/13"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2014/01/07/2"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2014/01/08/9"
},
{
"source": "cve@mitre.org",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049748"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-7769"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://blog.ptsecurity.com/2012/11/attacking-mongodb.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0230.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0440.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2014/01/07/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2014/01/07/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2014/01/08/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049748"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-7769"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-30 15:15
Modified
2024-11-21 04:40
Severity ?
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-42233 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-42233 | Issue Tracking, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56AB583F-49FA-4EBD-A1CD-EB9A0853F8F8",
"versionEndExcluding": "3.4.22",
"versionStartIncluding": "3.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "592F0633-F2FC-4FAF-8C70-9A97AA74C240",
"versionEndExcluding": "3.6.14",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9ABE44AB-F309-4248-B319-91E184B7FABF",
"versionEndExcluding": "4.0.11",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nAn unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.\n\n\n\n"
},
{
"lang": "es",
"value": "Un usuario o programa sin privilegios en Microsoft Windows que puede crear archivos de configuraci\u00f3n de OpenSSL en una ubicaci\u00f3n fija puede hacer que los programas de utilidades enviados con el servidor de MongoDB ejecuten c\u00f3digo definido por el atacante como el usuario que ejecuta la utilidad. Este problema afecta: MongoDB Inc. Servidor MongoDB versiones 4.0 anteriores a la versi\u00f3n 4.0.11; versiones 3.6 anteriores a la versi\u00f3n 3.6.14; versiones 3.4 anteriores a la versi\u00f3n 3.4.22."
}
],
"id": "CVE-2019-2390",
"lastModified": "2024-11-21T04:40:46.720",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 6.0,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-30T15:15:11.050",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-42233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-42233"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-23 16:15
Modified
2024-11-21 04:39
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects MongoDB Server v4.0 versions prior to 4.0.7.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-39481 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-39481 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F2C6B27-B785-4718-907F-6ECFCE02CAE3",
"versionEndExcluding": "4.0.7",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine\u0027s internals. This issue affects MongoDB Server v4.0 versions prior to 4.0.7."
},
{
"lang": "es",
"value": "Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegaci\u00f3n de servicio al emitir consultas especialmente dise\u00f1adas, que arrojan excepciones de Javascript no controladas que contienen tipos destinados a ser incluidos en el \u00e1mbito interno del motor de Javascript.\u0026#xa0;Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.0 anteriores a 4.0.7"
}
],
"id": "CVE-2019-20923",
"lastModified": "2024-11-21T04:39:42.017",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-23T16:15:12.807",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-39481"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-39481"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-749"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-06 15:15
Modified
2024-11-21 05:38
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-45472 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-45472 | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "072568FB-8F07-45D9-9012-DE87879E79BC",
"versionEndExcluding": "3.6.18",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D8A24751-DF25-420F-95BA-39AC0528A61B",
"versionEndExcluding": "4.0.15",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DF922DE-9B3A-4F75-86BE-D6883BD3BD5B",
"versionEndExcluding": "4.2.3",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A4258F05-4F2F-4F94-BDB5-2481D1A597AE",
"versionEndExcluding": "4.3.3",
"versionStartIncluding": "4.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nImproper serialization of internal state in the authorization subsystem in MongoDB Server\u0027s authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.\n\n\n\n"
},
{
"lang": "es",
"value": "Una serializaci\u00f3n inapropiada del estado interno en el subsistema de autorizaci\u00f3n en el subsistema de autorizaci\u00f3n en MongoDB Server, permite a un usuario con credenciales no v\u00e1lidas omitir los mecanismos de protecci\u00f3n de lista blanca de IP despu\u00e9s de una acci\u00f3n administrativa. Este problema afecta a: MongoDB Inc. MongoDB Server versiones 4.2 anteriores a 4.2.3; versiones 4.0 anteriores a 4.0.15; versiones 4.3 anteriores a 4.3.3; versiones 3.6 anteriores a 3.6.18."
}
],
"id": "CVE-2020-7921",
"lastModified": "2024-11-21T05:38:00.877",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-06T15:15:11.880",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-45472"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-45472"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-182"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-01 15:15
Modified
2024-11-21 09:49
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Summary
A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-79327 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-79327 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52107780-5C9C-4DE0-9D16-89F128662C49",
"versionEndExcluding": "5.0.22",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8EEF504-8B18-4258-89AA-CDA99F3E5875",
"versionEndExcluding": "6.0.11",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "301B06FC-E692-4D15-8E45-86268D648D6C",
"versionEndExcluding": "7.0.3",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3."
},
{
"lang": "es",
"value": "A un comando para refinar una clave de fragmento de colecci\u00f3n le falta una verificaci\u00f3n de autorizaci\u00f3n. Esto puede hacer que el comando se ejecute directamente en un fragmento, lo que provoca una degradaci\u00f3n del rendimiento de la consulta o revela l\u00edmites de fragmentos a trav\u00e9s de canales laterales de temporizaci\u00f3n. Esto afecta a las versiones de MongoDB Server v5.0, anteriores a la 5.0.22, a las versiones de MongoDB Server v6.0, anteriores a la 6.0.11 y a las versiones de MongoDB Server v7.0 anteriores a la 7.0.3."
}
],
"id": "CVE-2024-6375",
"lastModified": "2024-11-21T09:49:31.330",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-01T15:15:17.430",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-79327"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-79327"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-23 16:15
Modified
2024-11-21 04:39
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Server v4.2 versions prior to 4.2.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-44377 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-44377 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7E9930A-CF94-420D-8FAF-48AF02450F95",
"versionEndExcluding": "4.2.2",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Server v4.2 versions prior to 4.2.2."
},
{
"lang": "es",
"value": "Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegaci\u00f3n de servicio al emitir consultas especialmente dise\u00f1adas que desencadenan una invariante en la funci\u00f3n IndexBoundsBuilder.\u0026#xa0;Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.2 anteriores a 4.2.2"
}
],
"id": "CVE-2019-20924",
"lastModified": "2024-11-21T04:39:42.150",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-23T16:15:12.887",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-44377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-44377"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-394"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-23 16:15
Modified
2024-11-21 04:40
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-43699 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-43699 | Issue Tracking, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99530195-8709-44C6-B379-152B44BBDCF2",
"versionEndExcluding": "3.6.20",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B61A2FF1-19F3-43A8-8163-27E4F1BC267A",
"versionEndExcluding": "4.0.20",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5705F2A5-0F0D-4E46-A422-6C5BDAEC952F",
"versionEndExcluding": "4.2.9",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23A17215-5D5F-4E8B-A6E9-2108F8489EFF",
"versionEndExcluding": "4.4.1",
"versionStartIncluding": "4.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20."
},
{
"lang": "es",
"value": "Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegaci\u00f3n de servicio al emitir consultas especialmente dise\u00f1adas, que usan el operador $mod para desbordar unos valores negativos.\u0026#xa0;Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.4 anteriores a la 4.4.1;\u0026#xa0;versiones v4.2 anteriores a 4.2.9;\u0026#xa0;versiones v4.0 anteriores a 4.0.20;\u0026#xa0;versiones v3.6 anteriores a 3.6.20"
}
],
"id": "CVE-2019-2392",
"lastModified": "2024-11-21T04:40:46.983",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-23T16:15:12.963",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-43699"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-43699"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-190"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-190"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-08-15 17:55
Modified
2024-11-21 01:51
Severity ?
Summary
bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an "invalid DBRef."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mongodb | mongodb | * | |
| mongodb | mongodb | 1.2.0 | |
| mongodb | mongodb | 1.4.0 | |
| mongodb | mongodb | 1.6.0 | |
| mongodb | mongodb | 1.8.0 | |
| mongodb | mongodb | 2.0.0 | |
| mongodb | mongodb | 2.2.0 | |
| mongodb | mongodb | 2.4.0 | |
| mongodb | mongodb | 2.4.1 | |
| mongodb | mongodb | 2.4.2 | |
| mongodb | mongodb | 2.4.3 | |
| mongodb | mongodb | 2.4.4 | |
| mongodb | mongodb | 2.4.5 | |
| mongodb | mongodb | 2.5.0 | |
| canonical | ubuntu_linux | 12.04 | |
| canonical | ubuntu_linux | 12.10 | |
| canonical | ubuntu_linux | 13.04 | |
| opensuse | opensuse | 12.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7FEFBDC-9423-4194-B7F1-B928F80FA004",
"versionEndIncluding": "2.5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2FBA2303-8E19-415F-BD7C-B348DE0EC478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "92948672-3F39-4675-BFB1-4ACACD078CC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A7590AB3-4433-4589-9575-647015A5DA24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EC4562CE-83D2-422C-AB94-CB0EFABC2CF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1B3AD0E-11F2-477E-9D18-B6A609A4C652",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E0F23FE-3AAF-4E29-AF89-C6365E839119",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB2A001B-D790-4DEA-9420-6BD18F1D0BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AD7C03C0-5B7B-4808-8F50-1D5517CEF61F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C37483C2-DA83-4BE4-9960-5A691661670B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "039B2CC3-CB74-4ADE-BEEF-65A5A0C4F6E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "86DB7435-C47E-426E-B3A6-216089F4CCAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F3E07CB0-95EC-4024-B059-4E2180F025A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D142852D-DF64-4AE5-97A4-FAA0EF3A8AB8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*",
"matchCriteriaId": "F5D324C4-97C7-49D3-A809-9EAD4B690C69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*",
"matchCriteriaId": "EFAA48D9-BEB4-4E49-AD50-325C262D46D9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an \"invalid DBRef.\""
},
{
"lang": "es",
"value": "bson/_cbsonmodule.c en el mongo-python-driver (tambi\u00e9n conocido como pymongo) anterior a v2.5.2, como es usado en MongoDB, permite a atacantes dependientes del contexto causar una denegaci\u00f3n de servicio (referencia NULL y ca\u00edda de la aplicaci\u00f3n) a trav\u00e9s de vectores relacionados con la decodificaci\u00f3n de un \"invalid DBRef\"."
}
],
"evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/476.html\n\n\u0027CWE-476: NULL Pointer Dereference\u0027",
"id": "CVE-2013-2132",
"lastModified": "2024-11-21T01:51:06.103",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-08-15T17:55:24.500",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710597"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00180.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/oss-sec/2013/q2/447"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://ubuntu.com/usn/usn-1897-1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2013/dsa-2705"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/93804"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/60252"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2"
},
{
"source": "secalert@redhat.com",
"url": "https://jira.mongodb.org/browse/PYTHON-532"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710597"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00180.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/oss-sec/2013/q2/447"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://ubuntu.com/usn/usn-1897-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2013/dsa-2705"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/93804"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/60252"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://jira.mongodb.org/browse/PYTHON-532"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-09 08:29
Modified
2024-11-21 03:12
Severity ?
Summary
In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/100825 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://bugzilla.redhat.com/show_bug.cgi?id=1489355 | Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://bugzilla.redhat.com/show_bug.cgi?id=1489356 | Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://bugzilla.redhat.com/show_bug.cgi?id=1489362 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/100825 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1489355 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1489356 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1489362 | Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:1.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8C08F7D5-3B9A-4335-9631-889023D013FA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c."
},
{
"lang": "es",
"value": "En MongoDB libbson 1.7.0, la funci\u00f3n bson_iter_codewscope en bson-iter.c no calcula correctamente un argumento de longitud bson_utf8_validate, lo que permite que atacantes remotos provoquen una denegaci\u00f3n de servicio (sobrelectura de b\u00fafer basada en mont\u00edculos en la funci\u00f3n bson_utf8_validate en bson-utf8.c), tal y como demuestra bson-to-json.c."
}
],
"id": "CVE-2017-14227",
"lastModified": "2024-11-21T03:12:22.110",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-09T08:29:00.287",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100825"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489355"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489356"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489362"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100825"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489355"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489356"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489362"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-125"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-23 16:15
Modified
2024-11-21 04:02
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch . This issue affects MongoDB Server v4.0 versions prior to 4.0.5 and MongoDB Server v3.6 versions prior to 3.6.10.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-38164 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-38164 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7BA25B25-D37C-45F8-9F21-D7C90FC55C3D",
"versionEndExcluding": "3.6.10",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6F89DDA-DD36-41D2-B4C0-4A25DB322B0F",
"versionEndExcluding": "4.0.5",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch . This issue affects MongoDB Server v4.0 versions prior to 4.0.5 and MongoDB Server v3.6 versions prior to 3.6.10."
},
{
"lang": "es",
"value": "Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegaci\u00f3n de servicio al emitir consultas especialmente dise\u00f1adas, que llevan a cabo un $elemMatch. Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.0 anteriores a 4.0.5;\u0026#xa0;versiones v3.6 anteriores a 3.6.10.\u0026#xa0;Este problema afecta a: MongoDB Server de MongoDB Inc versiones 3.6 anteriores a 3.6.10;\u0026#xa0;versiones 4.0 anteriores a 4.0.5"
}
],
"id": "CVE-2018-20805",
"lastModified": "2024-11-21T04:02:13.113",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-23T16:15:12.277",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-38164"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-38164"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-834"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-834"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-30 15:15
Modified
2024-11-21 04:40
Severity ?
5.3 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H
4.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
4.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-40563 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-40563 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56AB583F-49FA-4EBD-A1CD-EB9A0853F8F8",
"versionEndExcluding": "3.4.22",
"versionStartIncluding": "3.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "592F0633-F2FC-4FAF-8C70-9A97AA74C240",
"versionEndExcluding": "3.6.14",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9ABE44AB-F309-4248-B319-91E184B7FABF",
"versionEndExcluding": "4.0.11",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect scoping of kill operations in MongoDB Server\u0027s packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22."
},
{
"lang": "es",
"value": "El alcance incorrecto de las operaciones de eliminaci\u00f3n en los scripts de inicio SysV empaquetados del servidor MongoDB permite a los usuarios con acceso de escritura al archivo PID insertar PID arbitrarios que se eliminar\u00e1n cuando el usuario ra\u00edz detenga el proceso de MongoDB a trav\u00e9s de SysV init. Este problema afecta a: MongoDB Inc. MongoDB Server v4.0 versiones anteriores a 4.0.11; v3.6 versiones anteriores a 3.6.14; v3.4 versiones anteriores a 3.4.22."
}
],
"id": "CVE-2019-2389",
"lastModified": "2024-11-21T04:40:46.587",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 1.9,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 4.0,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-30T15:15:10.987",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-40563"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-40563"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-12-25 11:59
Modified
2024-11-21 02:09
Severity ?
Summary
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E60BA295-06A2-418F-9FBC-C8DBB42AA044",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B21D4014-E2DB-4C9C-9491-B77BDA243DCE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate."
},
{
"lang": "es",
"value": "La funci\u00f3n CmdAuthenticate::_authenticateX509 en db/commands/authentication_commands.cpp en mongod en MongoDB 2.6.x anterior a 2.6.2 permite a atacantes remotos causar una denegaci\u00f3n de servicio (ca\u00edda del demonio) intentando autenticarse con un certificado cliente X.509 inv\u00e1lido."
}
],
"id": "CVE-2014-3971",
"lastModified": "2024-11-21T02:09:14.783",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-12-25T11:59:00.037",
"references": [
{
"source": "cve@mitre.org",
"url": "https://github.com/mongodb/mongo/commit/c151e0660b9736fe66b224f1129a16871165251b"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-13753"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/mongodb/mongo/commit/c151e0660b9736fe66b224f1129a16871165251b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-13753"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-21 15:15
Modified
2024-11-21 05:38
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-47773 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-47773 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38CB828C-5F5F-476C-9644-543FDB6573BA",
"versionEndExcluding": "4.0.19",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0DA31477-9685-4A7D-888E-45222DC780C9",
"versionEndExcluding": "4.2.8",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B0B3E97-0E31-4904-95C6-1F7B8252606D",
"versionEndExcluding": "4.4.0",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem\u0027s support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19."
},
{
"lang": "es",
"value": "Un usuario autorizado para llevar a cabo consultas en la base de datos puede causar una denegaci\u00f3n de servicio al emitir consultas especialmente dise\u00f1adas, que violan una invariante en el soporte del subsistema de consultas para geoNear. Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.4 anteriores a 4.4.0-rc7; versiones v4.2 anteriores a 4.2.8; versiones v4.0 anteriores a 4.0.19"
}
],
"id": "CVE-2020-7923",
"lastModified": "2024-11-21T05:38:01.127",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-21T15:15:13.273",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-47773"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-47773"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-23 16:15
Modified
2024-11-21 04:40
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13 and MongoDB Server v3.6 versions prior to 3.6.15.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/SERVER-43350 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/SERVER-43350 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "295BD300-FE65-4A87-A3E6-2B7CA845FD52",
"versionEndExcluding": "3.6.15",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6052EEF-CD59-4E96-9C8F-054245771F62",
"versionEndExcluding": "4.0.13",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92555477-B2C9-486C-8583-42C407047811",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13 and MongoDB Server v3.6 versions prior to 3.6.15."
},
{
"lang": "es",
"value": "Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegaci\u00f3n de servicio al emitir consultas especialmente dise\u00f1adas, que usan $lookup y colaciones.\u0026#xa0;Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.2 anteriores a 4.2.1;\u0026#xa0;versiones v4.0 anteriores a 4.0.13;\u0026#xa0;versiones v3.6 anteriores a 3.6.15"
}
],
"id": "CVE-2019-2393",
"lastModified": "2024-11-21T04:40:47.113",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-23T16:15:13.027",
"references": [
{
"source": "cna@mongodb.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-43350"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.mongodb.org/browse/SERVER-43350"
}
],
"sourceIdentifier": "cna@mongodb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "cna@mongodb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}