cvelistv5 - cve-2024-8654

CVE-2024-8654 (GCVE-0-2024-8654)

Vulnerability from cvelistv5 – Published: 2024-09-10 13:35 – Updated: 2025-05-16 23:03

Summary

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.

Severity ?

5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

mongodb

References

URL

Tags

https://jira.mongodb.org/browse/SERVER-71477

Impacted products

	Vendor	Product	Version
	MongoDB Inc	MongoDB Server	Affected: 6.0.3 cpe:2.3:a:mongodb:mongodb:6.0.3:::::::*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8654",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T14:46:36.070373Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-10T14:46:52.002Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-16T23:03:01.427Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250516-0008/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "MongoDB Server",
          "vendor": "MongoDB Inc",
          "versions": [
            {
              "status": "affected",
              "version": "6.0.3"
            }
          ]
        }
      ],
      "datePublic": "2024-09-10T12:29:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.\u003c/p\u003e"
            }
          ],
          "value": "MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-908",
              "description": "CWE-908: Use of Uninitialized Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-10T13:35:50.554Z",
        "orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
        "shortName": "mongodb"
      },
      "references": [
        {
          "url": "https://jira.mongodb.org/browse/SERVER-71477"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "MongoDB Server may access non-initialized region of memory leading to unexpected behaviour",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
    "assignerShortName": "mongodb",
    "cveId": "CVE-2024-8654",
    "datePublished": "2024-09-10T13:35:50.554Z",
    "dateReserved": "2024-09-10T12:28:56.152Z",
    "dateUpdated": "2025-05-16T23:03:01.427Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.\"}, {\"lang\": \"es\", \"value\": \"MongoDB Server puede acceder a una regi\\u00f3n de memoria no inicializada, lo que genera un comportamiento inesperado cuando se invocan argumentos cero en la etapa de agregaci\\u00f3n interna. Este problema afecta a MongoDB Server v6.0 versi\\u00f3n 6.0.3.\"}]",
      "id": "CVE-2024-8654",
      "lastModified": "2024-09-10T15:50:57.713",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cna@mongodb.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L\", \"baseScore\": 5.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 3.4}]}",
      "published": "2024-09-10T14:15:13.710",
      "references": "[{\"url\": \"https://jira.mongodb.org/browse/SERVER-71477\", \"source\": \"cna@mongodb.com\"}]",
      "sourceIdentifier": "cna@mongodb.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"cna@mongodb.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-908\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-8654\",\"sourceIdentifier\":\"cna@mongodb.com\",\"published\":\"2024-09-10T14:15:13.710\",\"lastModified\":\"2025-09-22T18:39:20.160\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.\"},{\"lang\":\"es\",\"value\":\"MongoDB Server puede acceder a una regi\u00f3n de memoria no inicializada, lo que genera un comportamiento inesperado cuando se invocan argumentos cero en la etapa de agregaci\u00f3n interna. Este problema afecta a MongoDB Server v6.0 versi\u00f3n 6.0.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@mongodb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cna@mongodb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-908\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndIncluding\":\"6.0.3\",\"matchCriteriaId\":\"9959F9D6-B36C-470F-89C7-935176572F9E\"}]}]}],\"references\":[{\"url\":\"https://jira.mongodb.org/browse/SERVER-71477\",\"source\":\"cna@mongodb.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20250516-0008/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.netapp.com/advisory/ntap-20250516-0008/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-05-16T23:03:01.427Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-8654\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T14:46:36.070373Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-10T14:46:47.358Z\"}}], \"cna\": {\"title\": \"MongoDB Server may access non-initialized region of memory leading to unexpected behaviour\", \"source\": {\"discovery\": \"INTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:mongodb:mongodb:6.0.3:*:*:*:*:*:*:*\"], \"vendor\": \"MongoDB Inc\", \"product\": \"MongoDB Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.0.3\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-09-10T12:29:00.000Z\", \"references\": [{\"url\": \"https://jira.mongodb.org/browse/SERVER-71477\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eMongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-908\", \"description\": \"CWE-908: Use of Uninitialized Resource\"}]}], \"providerMetadata\": {\"orgId\": \"a39b4221-9bd0-4244-95fc-f3e2e07f1deb\", \"shortName\": \"mongodb\", \"dateUpdated\": \"2024-09-10T13:35:50.554Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-8654\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-16T23:03:01.427Z\", \"dateReserved\": \"2024-09-10T12:28:56.152Z\", \"assignerOrgId\": \"a39b4221-9bd0-4244-95fc-f3e2e07f1deb\", \"datePublished\": \"2024-09-10T13:35:50.554Z\", \"assignerShortName\": \"mongodb\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-0765

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans MongoDB Server. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	MongoDB	Server	MongoDB Server versions 6.0.x antérieures à 6.0.4

References

Title

Publication Time

Tags

Bulletin de sécurité MongoDB SERVER-71477

2024-09-10

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "MongoDB Server versions 6.0.x ant\u00e9rieures \u00e0 6.0.4",
      "product": {
        "name": "Server",
        "vendor": {
          "name": "MongoDB",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-8654",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-8654"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0765",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-09-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans MongoDB Server. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Vuln\u00e9rabilit\u00e9 dans MongoDB Server",
  "vendor_advisories": [
    {
      "published_at": "2024-09-10",
      "title": "Bulletin de s\u00e9curit\u00e9 MongoDB SERVER-71477",
      "url": "https://jira.mongodb.org/browse/SERVER-71477"
    }
  ]
}

CERTFR-2024-AVI-0765

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans MongoDB Server. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	MongoDB	Server	MongoDB Server versions 6.0.x antérieures à 6.0.4

References

Title

Publication Time

Tags

Bulletin de sécurité MongoDB SERVER-71477

2024-09-10

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "MongoDB Server versions 6.0.x ant\u00e9rieures \u00e0 6.0.4",
      "product": {
        "name": "Server",
        "vendor": {
          "name": "MongoDB",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-8654",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-8654"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0765",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-09-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans MongoDB Server. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Vuln\u00e9rabilit\u00e9 dans MongoDB Server",
  "vendor_advisories": [
    {
      "published_at": "2024-09-10",
      "title": "Bulletin de s\u00e9curit\u00e9 MongoDB SERVER-71477",
      "url": "https://jira.mongodb.org/browse/SERVER-71477"
    }
  ]
}

WID-SEC-W-2024-2103

Vulnerability from csaf_certbund - Published: 2024-09-10 22:00 - Updated: 2024-09-10 22:00

Summary

MongoDB: Schwachstelle ermöglicht nicht spezifizierten Angriff

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

MongoDB ist ein Open-Source-Dokumentendatenbank.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in MongoDB ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.

Betroffene Betriebssysteme

- Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "MongoDB ist ein Open-Source-Dokumentendatenbank.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in MongoDB ausnutzen, um einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-2103 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-2103.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-2103 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-2103"
      },
      {
        "category": "external",
        "summary": "MongoDB Issue SERVER-71477 vom 2024-09-10",
        "url": "https://jira.mongodb.org/browse/SERVER-71477"
      }
    ],
    "source_lang": "en-US",
    "title": "MongoDB: Schwachstelle erm\u00f6glicht nicht spezifizierten Angriff",
    "tracking": {
      "current_release_date": "2024-09-10T22:00:00.000+00:00",
      "generator": {
        "date": "2024-09-11T08:15:48.797+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.6"
        }
      },
      "id": "WID-SEC-W-2024-2103",
      "initial_release_date": "2024-09-10T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-09-10T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c6.3.0-rc0",
                "product": {
                  "name": "Open Source MongoDB \u003c6.3.0-rc0",
                  "product_id": "T037432"
                }
              },
              {
                "category": "product_version",
                "name": "6.3.0-rc0",
                "product": {
                  "name": "Open Source MongoDB 6.3.0-rc0",
                  "product_id": "T037432-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mongodb:mongodb:6.3.0-rc0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.2.0-rc2",
                "product": {
                  "name": "Open Source MongoDB \u003c6.2.0-rc2",
                  "product_id": "T037433"
                }
              },
              {
                "category": "product_version",
                "name": "6.2.0-rc2",
                "product": {
                  "name": "Open Source MongoDB 6.2.0-rc2",
                  "product_id": "T037433-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mongodb:mongodb:6.2.0-rc2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.0.4",
                "product": {
                  "name": "Open Source MongoDB \u003c6.0.4",
                  "product_id": "T037434"
                }
              },
              {
                "category": "product_version",
                "name": "6.0.4",
                "product": {
                  "name": "Open Source MongoDB 6.0.4",
                  "product_id": "T037434-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mongodb:mongodb:6.0.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.1.1",
                "product": {
                  "name": "Open Source MongoDB \u003c6.1.1",
                  "product_id": "T037435"
                }
              },
              {
                "category": "product_version",
                "name": "6.1.1",
                "product": {
                  "name": "Open Source MongoDB 6.1.1",
                  "product_id": "T037435-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mongodb:mongodb:6.1.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "MongoDB"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-8654",
      "notes": [
        {
          "category": "description",
          "text": "In MongoDB existiert eine Schwachstelle. Dieser Fehler besteht wegen der Verwendung von nicht initialisierten Ressourcen, die den Zugriff auf nicht initialisierte Speicherbereiche erm\u00f6glichen. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um ein unerwartetes Verhalten auszul\u00f6sen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037433",
          "T037434",
          "T037435",
          "T037432"
        ]
      },
      "release_date": "2024-09-10T22:00:00.000+00:00",
      "title": "CVE-2024-8654"
    }
  ]
}

FKIE_CVE-2024-8654

Vulnerability from fkie_nvd - Published: 2024-09-10 14:15 - Updated: 2025-09-22 18:39

Severity ?

5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	cna@mongodb.com	https://jira.mongodb.org/browse/SERVER-71477	Issue Tracking, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20250516-0008/	Third Party Advisory

Impacted products

	Vendor	Product	Version
	mongodb	mongodb	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "9959F9D6-B36C-470F-89C7-935176572F9E",
              "versionEndIncluding": "6.0.3",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3."
    },
    {
      "lang": "es",
      "value": "MongoDB Server puede acceder a una regi\u00f3n de memoria no inicializada, lo que genera un comportamiento inesperado cuando se invocan argumentos cero en la etapa de agregaci\u00f3n interna. Este problema afecta a MongoDB Server v6.0 versi\u00f3n 6.0.3."
    }
  ],
  "id": "CVE-2024-8654",
  "lastModified": "2025-09-22T18:39:20.160",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 3.4,
        "source": "cna@mongodb.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-09-10T14:15:13.710",
  "references": [
    {
      "source": "cna@mongodb.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://jira.mongodb.org/browse/SERVER-71477"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20250516-0008/"
    }
  ],
  "sourceIdentifier": "cna@mongodb.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-908"
        }
      ],
      "source": "cna@mongodb.com",
      "type": "Secondary"
    }
  ]
}

GHSA-PW8J-VG82-PM6C

Vulnerability from github – Published: 2024-09-10 15:31 – Updated: 2025-05-17 00:30

Details

Severity ?

5.0 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-8654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T14:15:13Z",
    "severity": "MODERATE"
  },
  "details": "MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.",
  "id": "GHSA-pw8j-vg82-pm6c",
  "modified": "2025-05-17T00:30:25Z",
  "published": "2024-09-10T15:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8654"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-71477"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250516-0008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-8654 (GCVE-0-2024-8654)

CERTFR-2024-AVI-0765

Solutions

CERTFR-2024-AVI-0765

Solutions

WID-SEC-W-2024-2103

FKIE_CVE-2024-8654

GHSA-PW8J-VG82-PM6C

Tags

Sightings

Nomenclature