Search
Total
11 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-1409 | 3 Apple, Microsoft, Mongodb | 3 Macos, Windows, Mongodb | 2023-08-29 | N/A | 7.5 HIGH |
| If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate. This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions. | |||||
| CVE-2021-32040 | 1 Mongodb | 1 Mongodb | 2022-06-09 | 5.0 MEDIUM | 7.5 HIGH |
| It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB versions prior to 5.0.4, 4.4.11, 4.2.16. | |||||
| CVE-2021-32036 | 1 Mongodb | 1 Mongodb | 2022-02-09 | 5.5 MEDIUM | 7.1 HIGH |
| An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. | |||||
| CVE-2020-7925 | 1 Mongodb | 1 Mongodb | 2021-10-19 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9. | |||||
| CVE-2019-20925 | 1 Mongodb | 1 Mongodb | 2020-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15; v3.4 versions prior to 3.4.24. | |||||
| CVE-2019-2386 | 1 Mongodb | 1 Mongodb | 2020-10-16 | 6.0 MEDIUM | 7.1 HIGH |
| After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22. | |||||
| CVE-2019-2390 | 2 Microsoft, Mongodb | 2 Windows, Mongodb | 2020-10-14 | 6.8 MEDIUM | 7.8 HIGH |
| An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue affects: MongoDB Inc. MongoDB Server 4.0 prior to 4.0.11; 3.6 prior to 3.6.14; 3.4 prior to 3.4.22. | |||||
| CVE-2017-2665 | 2 Mongodb, Redhat | 2 Mongodb, Storage Console | 2019-10-09 | 1.9 LOW | 7.0 HIGH |
| The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. Any local user who has access to system running skyring service will be able to get password in plain text. | |||||
| CVE-2015-7882 | 1 Mongodb | 1 Mongodb | 2019-10-09 | 6.8 MEDIUM | 8.1 HIGH |
| Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access. | |||||
| CVE-2017-14227 | 1 Mongodb | 1 Mongodb | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c. | |||||
| CVE-2016-3104 | 1 Mongodb | 1 Mongodb | 2017-04-22 | 5.0 MEDIUM | 7.5 HIGH |
| mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database. | |||||