Search criteria
109 vulnerabilities by MONGODB
CVE-2025-12119 (GCVE-0-2025-12119)
Vulnerability from cvelistv5 – Published: 2025-11-18 20:21 – Updated: 2025-11-19 16:48
VLAI?
Summary
A mongoc_bulk_operation_t may read invalid memory if large options are passed.
Severity ?
6.8 (Medium)
CWE
- CWE-825 - Expired Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| MongoDB | C Driver |
Affected:
1.9.0 , ≤ 1.30.5
(semver)
Affected: 2.0.0 , ≤ 2.1.1 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T16:14:28.900742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T16:48:51.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/mongodb/mongo-c-driver",
"defaultStatus": "unaffected",
"product": "C Driver",
"vendor": "MongoDB",
"versions": [
{
"lessThanOrEqual": "1.30.5",
"status": "affected",
"version": "1.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.1.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com/mongodb/mongo-php-driver",
"defaultStatus": "unaffected",
"product": "PHP Driver",
"vendor": "MongoDB",
"versions": [
{
"lessThanOrEqual": "2.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A mongoc_bulk_operation_t may read invalid memory if large options are passed."
}
],
"value": "A mongoc_bulk_operation_t may read invalid memory if large options are passed."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-825",
"description": "CWE-825 Expired Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:21:08.252Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://github.com/mongodb/mongo-php-driver/releases/tag/1.21.2"
},
{
"url": "https://github.com/mongodb/mongo-c-driver/releases/tag/1.30.6"
},
{
"url": "https://github.com/mongodb/mongo-c-driver/releases/tag/2.1.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Bulk write with options may read invalid memory",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-12119",
"datePublished": "2025-11-18T20:21:08.252Z",
"dateReserved": "2025-10-23T16:43:24.098Z",
"dateUpdated": "2025-11-19T16:48:51.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12100 (GCVE-0-2025-12100)
Vulnerability from cvelistv5 – Published: 2025-10-23 21:02 – Updated: 2025-10-25 03:56
VLAI?
Summary
Incorrect Default Permissions vulnerability in MongoDB BI Connector ODBC driver allows Privilege Escalation.This issue affects BI Connector ODBC driver: from 1.0.0 through 1.4.6.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB | BI Connector ODBC driver |
Affected:
1.0.0 , ≤ 1.4.6
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12100",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-25T03:56:10.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "BI Connector ODBC driver",
"vendor": "MongoDB",
"versions": [
{
"lessThanOrEqual": "1.4.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-10-23T21:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Default Permissions vulnerability in MongoDB BI Connector ODBC driver allows Privilege Escalation.\u003cp\u003eThis issue affects BI Connector ODBC driver: from 1.0.0 through 1.4.6.\u003c/p\u003e"
}
],
"value": "Incorrect Default Permissions vulnerability in MongoDB BI Connector ODBC driver allows Privilege Escalation.This issue affects BI Connector ODBC driver: from 1.0.0 through 1.4.6."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T21:02:18.599Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://github.com/mongodb/mongo-bi-connector-odbc-driver/releases/tag/v1.4.7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MongoDB BI Connector ODBC driver installation via MSI may leave ACLs unset on custom installation directories",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-12100",
"datePublished": "2025-10-23T21:02:18.599Z",
"dateReserved": "2025-10-23T00:22:17.477Z",
"dateUpdated": "2025-10-25T03:56:10.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11575 (GCVE-0-2025-11575)
Vulnerability from cvelistv5 – Published: 2025-10-23 00:22 – Updated: 2025-10-24 03:55
VLAI?
Summary
Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC driver on Windows allows Privilege Escalation.This issue affects MongoDB Atlas SQL ODBC driver: from 1.0.0 through 2.0.0.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB | Atlas SQL ODBC driver |
Affected:
1.0.0 , ≤ 2.0.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11575",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T03:55:20.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Atlas SQL ODBC driver",
"vendor": "MongoDB",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-10-09T14:14:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC driver on Windows allows Privilege Escalation.\u003cp\u003eThis issue affects MongoDB Atlas SQL ODBC driver: from 1.0.0 through 2.0.0.\u003c/p\u003e"
}
],
"value": "Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC driver on Windows allows Privilege Escalation.This issue affects MongoDB Atlas SQL ODBC driver: from 1.0.0 through 2.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T16:53:38.634Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://www.mongodb.com/docs/atlas/release-notes/sql/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MongoDB Atlas SQL ODBC driver installation via MSI may leave ACLs unset on custom installation directories",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-11575",
"datePublished": "2025-10-23T00:22:00.809Z",
"dateReserved": "2025-10-09T23:13:28.369Z",
"dateUpdated": "2025-10-24T03:55:20.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11979 (GCVE-0-2025-11979)
Vulnerability from cvelistv5 – Published: 2025-10-20 17:47 – Updated: 2025-10-20 20:21
VLAI?
Summary
An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoDB Server version 8.2.0.
Severity ?
5.3 (Medium)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc. | Server |
Affected:
8.2.0
(Custom)
Affected: 8.0.0 , < 8.0.14 (Custom) Affected: 7.0.0 , < 7.0.25 (Custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11979",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T20:21:19.312061Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T20:21:27.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"status": "affected",
"version": "8.2.0",
"versionType": "Custom"
},
{
"lessThan": "8.0.14",
"status": "affected",
"version": "8.0.0",
"versionType": "Custom"
},
{
"lessThan": "7.0.25",
"status": "affected",
"version": "7.0.0",
"versionType": "Custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eAn authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoDB Server version 8.2.0.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoDB Server version 8.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T17:47:57.947Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-105873"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Use-after-free in the MongoDB server query planner may lead to crash or undefined behavior",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-11979",
"datePublished": "2025-10-20T17:47:57.947Z",
"dateReserved": "2025-10-20T17:38:55.869Z",
"dateUpdated": "2025-10-20T20:21:27.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11695 (GCVE-0-2025-11695)
Vulnerability from cvelistv5 – Published: 2025-10-13 16:22 – Updated: 2025-10-21 03:55
VLAI?
Summary
When tlsInsecure=False appears in a connection string, certificate validation is disabled.
This vulnerability affects MongoDB Rust Driver versions prior to v3.2.5
Severity ?
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB | Rust Driver |
Affected:
0 , < v3.2.5
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11695",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T03:55:19.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rust Driver",
"vendor": "MongoDB",
"versions": [
{
"lessThan": "v3.2.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cp\u003e\u003c/p\u003e\u003c/b\u003e\u003cb\u003e\u003c/b\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eWhen tlsInsecure=False appears in a connection string, certificate validation is disabled.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis vulnerability affects MongoDB Rust Driver versions prior to v3.2.5\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "When tlsInsecure=False appears in a connection string, certificate validation is disabled.\n\nThis vulnerability affects MongoDB Rust Driver versions prior to v3.2.5"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-13T16:22:57.417Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/RUST-2264"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Configuration may unexpectedly disable certificate validation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-11695",
"datePublished": "2025-10-13T16:22:57.417Z",
"dateReserved": "2025-10-13T16:15:52.158Z",
"dateUpdated": "2025-10-21T03:55:19.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10061 (GCVE-0-2025-10061)
Vulnerability from cvelistv5 – Published: 2025-09-05 20:48 – Updated: 2025-09-05 21:08
VLAI?
Summary
An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability could lead to denial of service if triggered repeatedly. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22, MongoDB Server v8.0 versions prior to 8.0.12 and MongoDB Server v8.1 versions prior to 8.1.2
Severity ?
6.5 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
6.0 , < 6.0.25
(custom)
Affected: 7.0 , < 7.0.22 (custom) Affected: 8.0 , < 8.0.12 (custom) Affected: 8.1 , < 8.1.2 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10061",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T21:07:15.019864Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T21:08:44.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "6.0.25",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.22",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.12",
"status": "affected",
"version": "8.0",
"versionType": "custom"
},
{
"lessThan": "8.1.2",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability could lead to denial of service if triggered repeatedly. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22, MongoDB Server v8.0 versions prior to 8.0.12 and MongoDB Server v8.1 versions prior to 8.1.2"
}
],
"value": "An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability could lead to denial of service if triggered repeatedly. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22, MongoDB Server v8.0 versions prior to 8.0.12 and MongoDB Server v8.1 versions prior to 8.1.2"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T20:48:25.215Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-99616"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Malformed $group Query May Cause MongoDB Server to Crash",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-10061",
"datePublished": "2025-09-05T20:48:25.215Z",
"dateReserved": "2025-09-05T20:41:48.167Z",
"dateUpdated": "2025-09-05T21:08:44.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10060 (GCVE-0-2025-10060)
Vulnerability from cvelistv5 – Published: 2025-09-05 20:39 – Updated: 2025-09-05 21:08
VLAI?
Summary
MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22 and MongoDB Server v8.0 versions prior to 8.0.12
Severity ?
6.5 (Medium)
CWE
- CWE-672 - Operation on a Resource after Expiration or Release
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
6.0 , < 6.0.25
(custom)
Affected: 7.0 , < 7.0.22 (custom) Affected: 8.0 , < 8.0.12 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10060",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T21:07:23.024155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T21:08:05.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "6.0.25",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.22",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.12",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22 and MongoDB Server v8.0 versions prior to 8.0.12"
}
],
"value": "MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22 and MongoDB Server v8.0 versions prior to 8.0.12"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672 Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T20:39:14.188Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-95524"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-10060",
"datePublished": "2025-09-05T20:39:14.188Z",
"dateReserved": "2025-09-05T20:28:10.874Z",
"dateUpdated": "2025-09-05T21:08:05.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10059 (GCVE-0-2025-10059)
Vulnerability from cvelistv5 – Published: 2025-09-05 20:26 – Updated: 2025-09-05 20:44
VLAI?
Summary
An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.
Severity ?
6.5 (Medium)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
6.0 , < 6.0.24
(custom)
Affected: 7.0 , < 7.0.18 (custom) Affected: 8.0 , < 8.0.6 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T20:43:05.307135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T20:44:22.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "6.0.24",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.18",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.6",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eAn improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T20:26:52.612Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-100901"
},
{
"url": "https://jira.mongodb.org/browse/SERVER-100909"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "MongoDB Server router will crash when incorrect lsid is set on a sharded query",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-10059",
"datePublished": "2025-09-05T20:26:52.612Z",
"dateReserved": "2025-09-05T20:10:54.977Z",
"dateUpdated": "2025-09-05T20:44:22.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7259 (GCVE-0-2025-7259)
Vulnerability from cvelistv5 – Published: 2025-07-07 15:59 – Updated: 2025-07-07 16:13
VLAI?
Summary
An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0.
Severity ?
6.5 (Medium)
CWE
- CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
8.1 , ≤ 8.1.0
(custom)
cpe:2.3:a:mongodb:mongodb:8.1.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T16:13:43.106144Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T16:13:48.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-07-07T15:06:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0.\u003c/p\u003e"
}
],
"value": "An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T15:59:01.902Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-102693"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Certain Queries with Duplicate _id Fields May Cause MongoDB Server to Crash",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-7259",
"datePublished": "2025-07-07T15:59:01.902Z",
"dateReserved": "2025-07-07T15:05:32.437Z",
"dateUpdated": "2025-07-07T16:13:48.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6714 (GCVE-0-2025-6714)
Vulnerability from cvelistv5 – Published: 2025-07-07 14:48 – Updated: 2025-07-07 19:11
VLAI?
Summary
MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20 and MongoDB Server v8.0 prior to 8.0.9
Required Configuration:
This affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
6.0 , < 6.0.23
(custom)
Affected: 7.0 , < 7.0.20 (custom) Affected: 8.0 , < 8.0.9 (custom) cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.22:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.8:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T19:11:36.252213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T19:11:47.975Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.22:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.8:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "6.0.23",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.20",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.9",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cp\u003eThis affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports.\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "This affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports."
}
],
"datePublic": "2025-07-07T14:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMongoDB Server\u0027s mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20 and MongoDB Server v8.0 prior to 8.0.9\u003c/p\u003e\u003cp\u003e\u003cb\u003eRequired Configuration:\u003c/b\u003e\u003c/p\u003e\u003cp\u003eThis affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports.\u003c/p\u003e"
}
],
"value": "MongoDB Server\u0027s mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20 and MongoDB Server v8.0 prior to 8.0.9\n\nRequired Configuration:\n\nThis affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-834",
"description": "CWE-834 Excessive Iteration",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:48:48.312Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-106753"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-6714",
"datePublished": "2025-07-07T14:48:48.312Z",
"dateReserved": "2025-06-26T11:58:50.544Z",
"dateUpdated": "2025-07-07T19:11:47.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6713 (GCVE-0-2025-6713)
Vulnerability from cvelistv5 – Published: 2025-07-07 14:46 – Updated: 2025-07-18 05:50
VLAI?
Summary
An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22
Severity ?
7.7 (High)
CWE
- CWE-285 - Improper Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
6.0 , < 6.0.22
(custom)
Affected: 7.0 , < 7.0.19 (custom) Affected: 8.0 , < 8.0.7 (custom) cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.6:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T19:11:00.438009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T19:11:13.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "6.0.22",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.19",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.7",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-07-07T14:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22\u003c/p\u003e"
}
],
"value": "An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T05:50:23.153Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-106752"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MongoDB Server may be susceptible to privilege escalation due to $mergeCursors stage",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-6713",
"datePublished": "2025-07-07T14:46:36.201Z",
"dateReserved": "2025-06-26T11:52:57.357Z",
"dateUpdated": "2025-07-18T05:50:23.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6712 (GCVE-0-2025-6712)
Vulnerability from cvelistv5 – Published: 2025-07-07 14:44 – Updated: 2025-07-07 14:53
VLAI?
Summary
MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than anticipated, memory consumption can increase, potentially impacting server stability and availability. This issue affects MongoDB Server v8.0 versions prior to 8.0.10
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
8.0 , < 8.0.10
(custom)
cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.9:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T14:53:35.680320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:53:47.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.9:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "8.0.10",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-07-07T14:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than anticipated, memory consumption can increase, potentially impacting server stability and availability. This issue affects MongoDB Server v8.0 versions prior to 8.0.10\u003c/p\u003e"
}
],
"value": "MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than anticipated, memory consumption can increase, potentially impacting server stability and availability. This issue affects MongoDB Server v8.0 versions prior to 8.0.10"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:45:55.924Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-106751"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MongoDB Server may be susceptible to DoS due to Accumulated Memory Allocation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-6712",
"datePublished": "2025-07-07T14:44:38.183Z",
"dateReserved": "2025-06-26T11:48:56.095Z",
"dateUpdated": "2025-07-07T14:53:47.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6711 (GCVE-0-2025-6711)
Vulnerability from cvelistv5 – Published: 2025-07-07 14:42 – Updated: 2025-07-07 14:58
VLAI?
Summary
An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0 versions prior to 6.0.21.
Severity ?
4.4 (Medium)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
6.0 , < 6.0.21
(custom)
Affected: 7.0 , < 7.0.18 (custom) Affected: 8.0 , < 8.0.5 (custom) cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6711",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T14:56:14.136564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:58:08.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "6.0.21",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.18",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.5",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-07-07T14:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0 versions prior to 6.0.21.\u003c/p\u003e"
}
],
"value": "An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0 versions prior to 6.0.21."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:42:16.562Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-98720"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Incomplete Redaction of Sensitive Information in MongoDB Server Logs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-6711",
"datePublished": "2025-07-07T14:42:16.562Z",
"dateReserved": "2025-06-26T11:44:16.283Z",
"dateUpdated": "2025-07-07T14:58:08.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6710 (GCVE-0-2025-6710)
Vulnerability from cvelistv5 – Published: 2025-06-26 14:09 – Updated: 2025-06-26 17:35
VLAI?
Summary
MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.
The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.
Severity ?
7.5 (High)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
6.0 , < 6.0.21
(custom)
Affected: 7.0 , < 7.0.17 (custom) Affected: 8.0 , < 8.0.5 (custom) cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6710",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-26T17:34:54.163744Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T17:35:01.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "6.0.21",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.17",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.5",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-06-26T11:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.\u003c/p\u003e\u003cp\u003eThe same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.\u003c/p\u003e"
}
],
"value": "MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.\n\nThe same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T14:09:29.581Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-106749"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-6710",
"datePublished": "2025-06-26T14:09:29.581Z",
"dateReserved": "2025-06-26T11:38:14.955Z",
"dateUpdated": "2025-06-26T17:35:01.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6709 (GCVE-0-2025-6709)
Vulnerability from cvelistv5 – Published: 2025-06-26 14:07 – Updated: 2025-06-26 17:39
VLAI?
Summary
The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.
The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
7.0 , < 7.0.17
(custom)
Affected: 8.0 , < 8.0.5 (custom) Affected: 6.0 , < 6.0.21 (custom) cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6709",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-26T17:39:05.900969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T17:39:12.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "7.0.17",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.5",
"status": "affected",
"version": "8.0",
"versionType": "custom"
},
{
"lessThan": "6.0.21",
"status": "affected",
"version": "6.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-06-26T11:32:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.\u003c/p\u003e\u003cp\u003eThe same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.\u003c/p\u003e"
}
],
"value": "The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.\n\nThe same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T14:07:04.979Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-106748"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Pre-Authentication Denial of Service Vulnerability in MongoDB Server\u0027s OIDC Authentication",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-6709",
"datePublished": "2025-06-26T14:07:04.979Z",
"dateReserved": "2025-06-26T11:28:51.253Z",
"dateUpdated": "2025-06-26T17:39:12.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6707 (GCVE-0-2025-6707)
Vulnerability from cvelistv5 – Published: 2025-06-26 14:04 – Updated: 2025-06-27 03:55
VLAI?
Summary
Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5.
Severity ?
4.2 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
5.0 , < 5.0.31
(custom)
Affected: 6.0 , < 6.0.24 (custom) Affected: 7.0 , < 7.0.21 (custom) Affected: 8.0 , < 8.0.5 (custom) cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.27:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.28:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.29:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.30:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.22:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.23:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-26T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T03:55:27.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.27:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.28:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.29:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.30:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.22:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.23:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "5.0.31",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "6.0.24",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.21",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.5",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-06-26T11:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5."
}
],
"value": "Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T14:04:46.283Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-93497"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Race condition in privilege cache invalidation cycle",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-6707",
"datePublished": "2025-06-26T14:04:46.283Z",
"dateReserved": "2025-06-26T11:09:08.157Z",
"dateUpdated": "2025-06-27T03:55:27.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6706 (GCVE-0-2025-6706)
Vulnerability from cvelistv5 – Published: 2025-06-26 14:00 – Updated: 2025-06-26 17:40
VLAI?
Summary
An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server.
The crash is triggered on affected versions by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expressions. This issue affects MongoDB Server v6.0 version prior to 6.0.21, MongoDB Server v7.0 version prior to 7.0.17 and MongoDB Server v8.0 version prior to 8.0.4 when the SBE engine is enabled.
Severity ?
5 (Medium)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
6.0 , < 6.0.21
(custom)
Affected: 7.0 , < 7.0.17 (custom) Affected: 8.0 , < 8.0.4 (custom) cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-26T17:40:36.944495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T17:40:45.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "6.0.21",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.17",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cp\u003eSBE Engine must be enabled in order for this to occur.\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "SBE Engine must be enabled in order for this to occur."
}
],
"datePublic": "2025-06-26T13:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server.\u003cbr\u003eThe crash is triggered on affected versions by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expressions. This issue affects MongoDB Server v6.0 version prior to 6.0.21, MongoDB Server v7.0 version prior to 7.0.17 and MongoDB Server v8.0 version prior to 8.0.4 when the SBE engine is enabled."
}
],
"value": "An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server.\nThe crash is triggered on affected versions by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expressions. This issue affects MongoDB Server v6.0 version prior to 6.0.21, MongoDB Server v7.0 version prior to 7.0.17 and MongoDB Server v8.0 version prior to 8.0.4 when the SBE engine is enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T14:00:22.802Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-106746"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Running certain aggregation operations with the SBE engine may lead to unexpected behavior on MongoDB Server",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-6706",
"datePublished": "2025-06-26T14:00:22.802Z",
"dateReserved": "2025-06-26T10:53:59.446Z",
"dateUpdated": "2025-06-26T17:40:45.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40906 (GCVE-0-2025-40906)
Vulnerability from cvelistv5 – Published: 2025-05-16 15:15 – Updated: 2025-09-09 13:54
VLAI?
Summary
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.
Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755.
BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-40906",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-17T02:38:23.781160Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:54:31.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "BSON-XS",
"product": "BSON::XS",
"repo": "https://github.com/mongodb-labs/mongo-perl-bson-xs",
"vendor": "MONGODB",
"versions": [
{
"lessThanOrEqual": "0.8.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.\u003cbr\u003e\u003cbr\u003eThose include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. \u003cbr\u003e\u003cbr\u003eBSON-XS was the official Perl XS implementation of MongoDB\u0027s BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.\u003cbr\u003e"
}
],
"value": "BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.\n\nThose include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. \n\nBSON-XS was the official Perl XS implementation of MongoDB\u0027s BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1104",
"description": "CWE-1104 Use of Unmaintained Third Party Components",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T13:22:22.125Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.mongodb.com/community/forums/t/mongodb-perl-driver-end-of-life/7890"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Manually remove the bundled version of libbson, update the \"bson\" folder with an up-to-date version of libbson\u0027s source code and try building against it."
}
],
"value": "Manually remove the bundled version of libbson, update the \"bson\" folder with an up-to-date version of libbson\u0027s source code and try building against it."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Consider using a security patched version of BSON::XS from a downstream packager or OS distribution."
}
],
"value": "Consider using a security patched version of BSON::XS from a downstream packager or OS distribution."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-40906",
"datePublished": "2025-05-16T15:15:49.810Z",
"dateReserved": "2025-04-16T09:05:34.360Z",
"dateUpdated": "2025-09-09T13:54:31.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3085 (GCVE-0-2025-3085)
Vulnerability from cvelistv5 – Published: 2025-04-01 12:05 – Updated: 2025-04-01 13:03
VLAI?
Summary
A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-cluster authentication. This issue affects MongoDB Server v5.0 versions prior to 5.0.31, MongoDB Server v6.0 versions prior to 6.0.20, MongoDB Server v7.0 versions prior to 7.0.16 and MongoDB Server v8.0 versions prior to 8.0.4.
Required Configuration : MongoDB Server must be running on Linux Operating Systems and CRL revocation status checking must be enabled
Severity ?
8.1 (High)
CWE
- CWE-299 - Improper Check for Certificate Revocation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
5.0 , < 5.0.31
(custom)
Affected: 6.0 , < 6.0.20 (custom) Affected: 7.0 , < 7.0.16 (custom) Affected: 8.0. , < 8.0.4 (custom) cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.27:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.28:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.29:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.30:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T13:02:43.439177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T13:03:02.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.27:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.28:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.29:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.30:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "5.0.31",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "6.0.20",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.16",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "8.0.",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MongoDB Server must be running on Linux Operating Systems and CRL revocation status checking must be enabled"
}
],
"value": "MongoDB Server must be running on Linux Operating Systems and CRL revocation status checking must be enabled"
}
],
"datePublic": "2025-04-01T09:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer\u0027s certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-cluster authentication. This issue affects MongoDB Server v5.0 versions prior to 5.0.31, MongoDB Server v6.0 versions prior to 6.0.20, MongoDB Server v7.0 versions prior to 7.0.16 and MongoDB Server v8.0 versions prior to 8.0.4.\u003cbr\u003eRequired Configuration :\u0026nbsp;MongoDB Server must be running on Linux Operating Systems and CRL revocation status checking must be enabled\u003c/p\u003e"
}
],
"value": "A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer\u0027s certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-cluster authentication. This issue affects MongoDB Server v5.0 versions prior to 5.0.31, MongoDB Server v6.0 versions prior to 6.0.20, MongoDB Server v7.0 versions prior to 7.0.16 and MongoDB Server v8.0 versions prior to 8.0.4.\nRequired Configuration :\u00a0MongoDB Server must be running on Linux Operating Systems and CRL revocation status checking must be enabled"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-299",
"description": "CWE-299: Improper Check for Certificate Revocation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T12:05:05.401Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-95445"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "MongoDB Server running on Linux may allow unexpected connections where intermediate certificates are revoked",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-3085",
"datePublished": "2025-04-01T12:05:05.401Z",
"dateReserved": "2025-04-01T09:16:34.872Z",
"dateUpdated": "2025-04-01T13:03:02.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3084 (GCVE-0-2025-3084)
Vulnerability from cvelistv5 – Published: 2025-04-01 11:14 – Updated: 2025-04-01 13:10
VLAI?
Summary
When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4
Severity ?
6.5 (Medium)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
5.0 , < 5.0.31
(custom)
Affected: 6.0 , < 6.0.20 (custom) Affected: 7.0 , < 7.0.16 (custom) Affected: 8.0 , < 8.0.4 (custom) cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.27:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.28:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.29:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.30:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T13:04:31.910410Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T13:10:04.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.27:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.28:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.29:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.30:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "5.0.31",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "6.0.20",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.16",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-04-01T09:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4\u003c/p\u003e"
}
],
"value": "When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T11:14:19.784Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-103153"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "MongoDB Server may crash due to improper validation of explain command",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-3084",
"datePublished": "2025-04-01T11:14:19.784Z",
"dateReserved": "2025-04-01T09:07:06.147Z",
"dateUpdated": "2025-04-01T13:10:04.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3083 (GCVE-0-2025-3083)
Vulnerability from cvelistv5 – Published: 2025-04-01 11:12 – Updated: 2025-04-01 13:18
VLAI?
Summary
Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0 versions prior to 7.0.16
Severity ?
7.5 (High)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
5.0 , < 5.0.31
(custom)
Affected: 6.0 , < 6.0.20 (custom) Affected: 7.0. , < 7.0.16 (custom) cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.27:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.28:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.29:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.30:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T13:11:21.374450Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T13:18:48.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.27:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.28:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.29:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.30:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "5.0.31",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "6.0.20",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.16",
"status": "affected",
"version": "7.0.",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-04-01T11:10:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSpecifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, \u0026nbsp;MongoDB v6.0 versions prior to\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e6.0.20 and MongoDB v7.0 versions prior to 7.0.16\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, \u00a0MongoDB v6.0 versions prior to\u00a06.0.20 and MongoDB v7.0 versions prior to 7.0.16"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T11:12:31.268Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-103152"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Malformed MongoDB wire protocol messages may cause mongos to crash",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-3083",
"datePublished": "2025-04-01T11:12:31.268Z",
"dateReserved": "2025-04-01T08:58:57.864Z",
"dateUpdated": "2025-04-01T13:18:48.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3082 (GCVE-0-2025-3082)
Vulnerability from cvelistv5 – Published: 2025-04-01 11:08 – Updated: 2025-04-01 15:14
VLAI?
Summary
A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3 versions prior to 7.3.4.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
5.0 , < 5.0.31
(custom)
Affected: 6.0 , < 6.0.20 (custom) Affected: 7.0 , < 7.0.14 (custom) Affected: 7.3 , < 7.3.4 (custom) cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.27:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.28:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.29:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.30:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.3.3:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T15:14:28.533719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T15:14:39.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.27:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.28:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.29:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.30:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.3.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "5.0.31",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "6.0.20",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.14",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "7.3.4",
"status": "affected",
"version": "7.3",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-04-01T08:47:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3 versions prior to 7.3.4.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3 versions prior to 7.3.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T11:08:06.589Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-103151"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "User may override a view\u0027s collation and gain unauthorized access to underlying data",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-3082",
"datePublished": "2025-04-01T11:08:06.589Z",
"dateReserved": "2025-04-01T08:47:40.658Z",
"dateUpdated": "2025-04-01T15:14:39.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0755 (GCVE-0-2025-0755)
Vulnerability from cvelistv5 – Published: 2025-03-18 09:01 – Updated: 2025-11-03 19:35
VLAI?
Summary
The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16
Severity ?
8.4 (High)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| MongoDB Inc | libbson |
Affected:
0 , < 1.27.5
(custom)
cpe:2.3:a:mongodb:libbson:0.2.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.2.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.4.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.5.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.6.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.6.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.6.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.6.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.6.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.8.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.8.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.8.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:0.98.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.1.0:-:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.1.0:rc0:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.1.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.1.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.1.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.1.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.1.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.1.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.1.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.1.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.1.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.2.0:-:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.2.0:beta1:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.2.0:rc0:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.2.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.2.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.2.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.3.0:-:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.3.0:beta0:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.3.0:rc0:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.3.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.3.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.3.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.3.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.3.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.4.0:-:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.4.0:beta0:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.4.0:beta1:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.4.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.4.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.4.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.5.0:-:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.5.0:rc0:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.5.0:rc1:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.5.0:rc2:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.5.0:rc3:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.5.0:rc4:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.5.0:rc6:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.5.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.5.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.5.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.5.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.5.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.6.0:-:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.6.0:rc0:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.6.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.6.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.6.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.7.0:-:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.7.0:rc0:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.7.0:rc1:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.7.0:rc2:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.8.0:-:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.8.0:rc0:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.8.0:rc1:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.8.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.8.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.9.0:-:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.9.0:rc0:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.9.0:rc1:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.9.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.9.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.9.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.9.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.9.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.10.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.10.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.10.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.10.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.11.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.12.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.13.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.13.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.14.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.14.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.15.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.15.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.15.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.16.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.16.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.16.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.17.0:beta:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.17.0:beta2:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.17.0:rc0:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.17.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.17.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.17.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.17.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.17.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.17.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.17.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.17.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.18.0:alpha:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.18.0:alpha2:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.18.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.19.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.19.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.19.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.20.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.20.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.21.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.21.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.21.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.22.0:beta0:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.22.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.22.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.22.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.23.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.23.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.23.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.23.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.23.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.23.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.24.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.24.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.24.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.24.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.24.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.25.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.25.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.25.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.25.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.25.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.26.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.26.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.26.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.27.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.27.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.27.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.27.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.27.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:libbson:1.27.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
Credits
selmelc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T13:20:06.283556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T13:20:24.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:35:09.738Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00027.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:libbson:0.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.6.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.6.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.8.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:0.98.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.1.0:-:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.1.0:rc0:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.1.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.1.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.1.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.1.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.1.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.1.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.2.0:-:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.2.0:beta1:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.2.0:rc0:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.3.0:-:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.3.0:beta0:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.3.0:rc0:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.3.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.3.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.3.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.3.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.4.0:-:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.4.0:beta0:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.4.0:beta1:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.4.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.5.0:-:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.5.0:rc0:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.5.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.5.0:rc2:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.5.0:rc3:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.5.0:rc4:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.5.0:rc6:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.5.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.5.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.5.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.6.0:-:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.6.0:rc0:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.6.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.7.0:-:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.7.0:rc0:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.7.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.7.0:rc2:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.8.0:-:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.8.0:rc0:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.8.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.9.0:-:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.9.0:rc0:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.9.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.9.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.9.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.9.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.9.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.9.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.10.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.10.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.10.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.13.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.13.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.14.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.15.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.15.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.15.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.15.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.16.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.16.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.16.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.17.0:beta:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.17.0:beta2:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.17.0:rc0:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.17.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.17.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.17.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.17.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.17.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.17.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.17.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.17.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.18.0:alpha:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.18.0:alpha2:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.18.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.19.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.19.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.19.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.20.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.20.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.21.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.21.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.21.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.22.0:beta0:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.22.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.22.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.22.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.23.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.23.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.23.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.23.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.23.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.23.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.24.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.24.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.24.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.24.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.24.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.25.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.25.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.25.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.25.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.25.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.26.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.26.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.26.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.27.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.27.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.27.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.27.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.27.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:libbson:1.27.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "libbson",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "1.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "8.0.1",
"status": "affected",
"version": "8.0",
"versionType": "custom"
},
{
"lessThan": "7.0.16",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "selmelc"
}
],
"datePublic": "2025-03-18T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe various \u003ctt\u003ebson_append\u003c/tt\u003e\u0026nbsp;functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16\u003c/p\u003e"
}
],
"value": "The various bson_append\u00a0functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T08:42:52.079Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-94461"
},
{
"url": "https://jira.mongodb.org/browse/CDRIVER-5601"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MongoDB C Driver bson library may be susceptible to buffer overflow",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-0755",
"datePublished": "2025-03-18T09:01:04.793Z",
"dateReserved": "2025-01-27T16:13:12.042Z",
"dateUpdated": "2025-11-03T19:35:09.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1756 (GCVE-0-2025-1756)
Vulnerability from cvelistv5 – Published: 2025-02-27 15:28 – Updated: 2025-02-27 16:06
VLAI?
Summary
mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\node_modules\. This issue affects mongosh prior to 2.3.0
Severity ?
7.5 (High)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | mongosh |
Affected:
0 , < 2.3.0
(custom)
cpe:2.3:a:mongodb:mongosh:0.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.4.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.4.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.5.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.5.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.6.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.7.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.8.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.8.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.8.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.9.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.10.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.10.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.11.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.12.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.12.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.13.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.14.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.15.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.15.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.15.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.2.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.2.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.4.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.4.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.6.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.6.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.6.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.7.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.7.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.8.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.8.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.90:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.91:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.15:*:*:*:*:*:*:* |
Credits
T. Doğa Gelişli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1756",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T16:02:07.276063Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T16:06:31.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2025:1756"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongosh:0.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.7.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.10.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.13.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.15.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.15.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.15.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.90:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.91:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mongosh",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "2.3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOnly environments with Windows as the underlying operating system is affected by this issue\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Only environments with Windows as the underlying operating system is affected by this issue"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "T. Do\u011fa Geli\u015fli"
}
],
"datePublic": "2025-02-27T13:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003emongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user\u0027s system with elevated privilege, when a crafted file is stored in C:\\node_modules\\. This issue affects mongosh prior to 2.3.0\u003c/p\u003e"
}
],
"value": "mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user\u0027s system with elevated privilege, when a crafted file is stored in C:\\node_modules\\. This issue affects mongosh prior to 2.3.0"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426: Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T15:28:11.633Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/MONGOSH-2028"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MongoDB Shell may be susceptible to local privilege escalation in Windows",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-1756",
"datePublished": "2025-02-27T15:28:11.633Z",
"dateReserved": "2025-02-27T13:02:02.998Z",
"dateUpdated": "2025-02-27T16:06:31.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1755 (GCVE-0-2025-1755)
Vulnerability from cvelistv5 – Published: 2025-02-27 15:24 – Updated: 2025-02-27 16:07
VLAI?
Summary
MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\node_modules\. This issue affects MongoDB Compass prior to 1.42.1
Severity ?
7.5 (High)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Compass |
Affected:
0 , < 1.42.1
(custom)
cpe:2.3:a:mongodb:compass:1.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.22:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.23:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.24.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.25.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.26.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.26.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.28.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.28.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.29.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.29.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.29.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.30.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.31.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.31.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.31.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.31.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.32.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.32.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.32.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.32.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.33.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.33.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.34.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.34.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.35.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.36.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.36.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.37.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.38.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.38.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.38.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.39.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.39.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.39.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.39.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.39.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.40.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.40.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.40.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.40.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.40.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.41.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:compass:1.42.0:*:*:*:*:*:*:* |
Credits
T. Doğa Gelişli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T16:07:15.336525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T16:07:45.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2025:1755.html"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:compass:1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.22:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.23:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.24.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.25.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.26.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.26.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.28.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.28.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.29.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.29.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.29.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.30.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.31.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.31.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.31.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.31.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.32.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.32.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.32.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.32.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.33.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.33.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.34.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.34.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.35.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.36.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.36.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.37.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.38.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.38.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.38.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.39.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.39.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.39.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.39.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.39.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.40.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.40.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.40.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.40.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.40.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.41.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:compass:1.42.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Compass",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "1.42.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cp\u003eOnly environments with Windows as the underlying operating system is affected by this issue\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "Only environments with Windows as the underlying operating system is affected by this issue"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "T. Do\u011fa Geli\u015fli"
}
],
"datePublic": "2025-02-27T13:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user\u0027s system with elevated privileges, when a crafted file is stored in C:\\node_modules\\. This issue affects MongoDB Compass prior to 1.42.1\u003c/p\u003e"
}
],
"value": "MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user\u0027s system with elevated privileges, when a crafted file is stored in C:\\node_modules\\. This issue affects MongoDB Compass prior to 1.42.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426: Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T15:24:07.174Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/COMPASS-9058"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MongoDB Compass may be susceptible to local privilege escalation in Windows",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-1755",
"datePublished": "2025-02-27T15:24:07.174Z",
"dateReserved": "2025-02-27T13:02:01.480Z",
"dateUpdated": "2025-02-27T16:07:45.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1693 (GCVE-0-2025-1693)
Vulnerability from cvelistv5 – Published: 2025-02-27 12:39 – Updated: 2025-02-27 15:20
VLAI?
Summary
The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.
The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.
This issue affects mongosh versions prior to 2.3.9
Severity ?
CWE
- CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | mongosh |
Affected:
0 , < 2.3.9
(custom)
cpe:2.3:a:mongodb:mongosh:0.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.4.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.4.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.5.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.5.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.6.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.7.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.8.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.8.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.8.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.9.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.10.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.10.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.11.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.12.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.12.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.13.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.14.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.15.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.15.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.15.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.2.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.2.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.4.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.4.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.6.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.6.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.6.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.7.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.7.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.8.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.8.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.90:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.91:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.8:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T14:25:17.958882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T14:31:00.224Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongosh:0.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.7.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.10.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.13.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.15.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.15.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.15.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.90:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.91:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.8:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mongosh",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "2.3.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.\u003c/p\u003e"
}
],
"value": "The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker."
}
],
"datePublic": "2025-02-27T12:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.\u003c/p\u003e\n\u003cp\u003eThe vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.\u003c/p\u003e\n\u003cp\u003eThis issue affects mongosh versions prior to 2.3.9\u003c/p\u003e"
}
],
"value": "The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.\n\n\nThe vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.\n\n\nThis issue affects mongosh versions prior to 2.3.9"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T15:20:13.640Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/MONGOSH-2026"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MongoDB Shell may be susceptible to control character Injection via shell output",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-1693",
"datePublished": "2025-02-27T12:39:37.520Z",
"dateReserved": "2025-02-25T13:47:30.902Z",
"dateUpdated": "2025-02-27T15:20:13.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1692 (GCVE-0-2025-1692)
Vulnerability from cvelistv5 – Published: 2025-02-27 12:37 – Updated: 2025-02-27 15:19
VLAI?
Summary
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9
Severity ?
6.3 (Medium)
CWE
- CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | mongosh |
Affected:
0 , < 2.3.9
(custom)
cpe:2.3:a:mongodb:mongosh:0.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.4.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.4.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.5.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.5.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.6.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.7.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.8.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.8.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.8.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.9.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.10.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.10.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.11.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.12.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.12.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.13.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.14.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.15.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.15.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.15.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.2.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.2.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.4.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.4.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.6.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.6.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.6.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.7.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.7.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.8.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.8.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.90:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.91:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.8:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1692",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T14:31:11.143757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T14:31:37.957Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongosh:0.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.7.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.10.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.13.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.15.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.15.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.15.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.90:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.91:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.8:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mongosh",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "2.3.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-02-27T12:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe MongoDB Shell may be susceptible to control character injection where an attacker with control of the user\u2019s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user\u2019s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T15:19:13.933Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/MONGOSH-2025"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MongoDB Shell may be susceptible to control character injection via pasting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-1692",
"datePublished": "2025-02-27T12:37:00.376Z",
"dateReserved": "2025-02-25T13:44:14.148Z",
"dateUpdated": "2025-02-27T15:19:13.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1691 (GCVE-0-2025-1691)
Vulnerability from cvelistv5 – Published: 2025-02-27 12:34 – Updated: 2025-02-27 15:18
VLAI?
Summary
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9.
The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.
Severity ?
7.6 (High)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | mongosh |
Affected:
0 , < 2.3.9
(custom)
cpe:2.3:a:mongodb:mongosh:0.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.4.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.4.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.5.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.5.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.6.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.7.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.8.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.8.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.8.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.9.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.10.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.10.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.11.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.12.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.12.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.13.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.14.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.15.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.15.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:0.15.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.1.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.2.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.2.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.4.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.4.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.5.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.6.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.6.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.6.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.7.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.7.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.8.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.8.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.90:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.91:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:1.10.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.2.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongosh:2.3.8:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T14:33:04.403717Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T14:33:54.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongosh:0.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.7.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.10.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.13.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.15.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.15.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:0.15.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.1.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.5.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.90:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.91:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:1.10.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.2.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongosh:2.3.8:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mongosh",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "2.3.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.\u003cbr\u003e"
}
],
"value": "The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker."
}
],
"datePublic": "2025-02-27T12:31:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThe MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using \u2018tab\u2019 to autocomplete text that is a prefix of the attacker\u2019s prepared autocompletion. This issue affects mongosh versions prior to\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e2.3.9.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThe vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using \u2018tab\u2019 to autocomplete text that is a prefix of the attacker\u2019s prepared autocompletion. This issue affects mongosh versions prior to\u00a02.3.9.\u00a0\n\n\nThe vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T15:18:23.418Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/MONGOSH-2024"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MongoDB Shell may be susceptible to Control Character Injection via autocomplete",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2025-1691",
"datePublished": "2025-02-27T12:34:02.752Z",
"dateReserved": "2025-02-25T13:35:22.403Z",
"dateUpdated": "2025-02-27T15:18:23.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10921 (GCVE-0-2024-10921)
Vulnerability from cvelistv5 – Published: 2024-11-14 16:04 – Updated: 2024-11-15 09:45
VLAI?
Summary
An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.
Severity ?
6.8 (Medium)
CWE
- CWE-158 - Improper Neutralization of Null Byte or NUL Character
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB Inc | MongoDB Server |
Affected:
5.0 , < 5.0.30
(custom)
Affected: 6.0 , < 6.0.19 (custom) Affected: 7.0 , < 7.0.15 (custom) Affected: 8.0 , < 8.0.3 (custom) cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.27:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.28:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:5.0.29:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10921",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T17:00:58.644599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T17:02:00.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongodb:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.22:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.23:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.24:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.25:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.26:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.27:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.28:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:5.0.29:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:6.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:7.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mongodb:mongodb:8.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "5.0.30",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "6.0.19",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.15",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.0.3",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-11-14T16:02:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eAn authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.\u003c/span\u003e \u003cbr\u003e"
}
],
"value": "An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-158",
"description": "CWE-158: Improper Neutralization of Null Byte or NUL Character",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T09:45:56.720Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-96419"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Customers and users should promptly upgrade to a patched version of the MongoDB Server product. At the time of publication, no misuse of this issue has been observed.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Customers and users should promptly upgrade to a patched version of the MongoDB Server product. At the time of publication, no misuse of this issue has been observed."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2024-10921",
"datePublished": "2024-11-14T16:04:04.062Z",
"dateReserved": "2024-11-06T13:26:36.873Z",
"dateUpdated": "2024-11-15T09:45:56.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8013 (GCVE-0-2024-8013)
Vulnerability from cvelistv5 – Published: 2024-10-28 12:58 – Updated: 2024-10-28 13:39
VLAI?
Summary
A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions.
Severity ?
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| MongoDB Inc | mongocryptd |
Affected:
5.0 , < 5.0.29
(custom)
Affected: 6.0 , < 6.0.17 (custom) Affected: 7.0 , < 7.012 (custom) Affected: 7.3 , < 7.3.4 (custom) cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.7:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.8:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.9:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.10:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.11:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.12:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.13:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.14:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.15:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.16:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.7:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.8:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.9:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.10:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.11:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.3.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.3.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.3.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.3.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.7:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.8:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.9:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.10:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.11:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.12:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.13:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.14:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.15:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.16:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.17:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.18:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.19:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.20:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.21:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.22:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.23:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.24:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.25:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.26:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.27:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:5.0.28:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.7:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.8:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.9:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.10:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.11:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.12:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.13:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.14:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.15:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:6.0.16:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.0.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.0.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.0.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.0.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.0.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.0.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.0.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.0.7:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.0.8:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.0.9:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.0.10:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.0.11:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.3.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.3.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.3.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:mongocryptd:7.3.3:*:*:*:*:mongodb:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8013",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T13:39:18.972061Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T13:39:31.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.7:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.8:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.9:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.10:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.11:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.12:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.13:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.14:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.15:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:6.0.16:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.7:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.8:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.9:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.10:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.0.11:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.3.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.3.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.3.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongo_crypt_v1.so:7.3.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.7:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.8:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.9:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.10:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.11:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.12:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.13:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.14:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.15:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.16:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.17:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.18:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.19:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.20:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.21:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.22:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.23:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.24:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.25:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.26:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.27:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:5.0.28:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.7:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.8:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.9:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.10:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.11:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.12:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.13:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.14:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.15:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:6.0.16:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.0.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.0.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.0.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.0.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.0.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.0.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.0.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.0.7:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.0.8:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.0.9:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.0.10:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.0.11:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.3.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.3.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.3.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:mongocryptd:7.3.3:*:*:*:*:mongodb:*:*"
],
"defaultStatus": "unaffected",
"product": "mongocryptd",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "5.0.29",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "6.0.17",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.012",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "7.3.4",
"status": "affected",
"version": "7.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Mongo_crypt_v1.so",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThan": "6.0.17",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "7.0.12",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "7.3.4",
"status": "affected",
"version": "7.3",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-10-28T12:57:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior t\u003c/span\u003eo 5.0.29, v\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319: Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T12:58:05.317Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"url": "https://jira.mongodb.org/browse/SERVER-96254"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CSFLE and Queryable Encryption self-lookup may fail to encrypt values in subpipelines",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2024-8013",
"datePublished": "2024-10-28T12:58:05.317Z",
"dateReserved": "2024-08-20T15:39:32.550Z",
"dateUpdated": "2024-10-28T13:39:31.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}