CVE-2018-20804

A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and MongoDB Server v3.6 versions prior to 3.6.13.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:N/A:P

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://jira.mongodb.org/browse/SERVER-35636	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mongodb:mongodb::::::::
	cpe:2.3:a:mongodb:mongodb::::::::

History

23 Jan 2024, 15:15

Type	Values Removed	Values Added
Summary	(en) A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.10; v3.6 versions prior to 3.6.13.	(en) A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and MongoDB Server v3.6 versions prior to 3.6.13.

Information

Published : 2020-11-23 16:15

Updated : 2024-01-23 15:15

NVD link : CVE-2018-20804

Mitre link : CVE-2018-20804

CVE.ORG link : CVE-2018-20804

JSON object : View

Products Affected

mongodb

mongodb

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2018-20804", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cna@mongodb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-11-23T16:15:12.197", "references": [{"url": "https://jira.mongodb.org/browse/SERVER-35636", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "cna@mongodb.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "cna@mongodb.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and\u00a0MongoDB Server v3.6 versions prior to 3.6.13.\n\n"}, {"lang": "es", "value": "Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegaci\u00f3n de servicio al emitir invocaciones de applyOps especialmente dise\u00f1adas. Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.0 anteriores a 4.0.10; versiones v3.6 anteriores a 3.6.13"}], "lastModified": "2024-01-23T15:15:10.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E74086E-F8F7-438B-8E70-CDF068C7AEE5", "versionEndExcluding": "3.6.13", "versionStartIncluding": "3.6.0"}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89BB7793-2ADB-4B05-B103-9EB696C6946B", "versionEndExcluding": "4.0.10", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cna@mongodb.com"}