Filtered by vendor Mongodb
Subscribe
Total
65 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-0436 | 1 Mongodb | 1 Atlas Kubernetes Operator | 2023-12-10 | N/A | 7.5 HIGH |
The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0. Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version. Required Configuration: DEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 ) | |||||
CVE-2023-0342 | 1 Mongodb | 1 Ops Manager Server | 2023-12-10 | N/A | 5.3 MEDIUM |
MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12 | |||||
CVE-2022-48282 | 1 Mongodb | 1 C\# Driver | 2023-12-10 | N/A | 7.2 HIGH |
Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0 Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND * Application must be running on a Windows host using the full .NET Framework, not .NET Core AND * Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND * Malicious attacker must have unrestricted insert access to target database to add a _t discriminator."Following configuration must be true for the vulnerability to be applicable | |||||
CVE-2022-24272 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6. | |||||
CVE-2021-20334 | 2 Microsoft, Mongodb | 2 Windows, Compass | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x versions prior to 1.25.0 on Windows. | |||||
CVE-2020-12135 | 2 Mongodb, Whoopsie Project | 2 C Driver, Whoopsie | 2023-12-10 | 4.3 MEDIUM | 5.5 MEDIUM |
bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values. In particular, the bson_ensure_space() parameter bytesNeeded could have an integer overflow via properly constructed bson input. | |||||
CVE-2019-2391 | 1 Mongodb | 1 Js-bson | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to. | |||||
CVE-2020-7610 | 1 Mongodb | 1 Bson | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type. | |||||
CVE-2015-4411 | 2 Fedoraproject, Mongodb | 2 Fedora, Bson | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remote attackers to cause a denial of service (worker resource consumption) via a crafted string. NOTE: This issue is due to an incomplete fix to CVE-2015-4410. | |||||
CVE-2015-7882 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access. | |||||
CVE-2018-16790 | 1 Mongodb | 1 Libbson | 2023-12-10 | 5.8 MEDIUM | 8.1 HIGH |
_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer. | |||||
CVE-2017-2665 | 2 Mongodb, Redhat | 2 Mongodb, Storage Console | 2023-12-10 | 1.9 LOW | 7.0 HIGH |
The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. Any local user who has access to system running skyring service will be able to get password in plain text. | |||||
CVE-2018-13863 | 1 Mongodb | 1 Js-bson | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string. | |||||
CVE-2017-14227 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c. | |||||
CVE-2017-15535 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory. | |||||
CVE-2014-8180 | 2 Mongodb, Redhat | 2 Mongodb, Satellite | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service. | |||||
CVE-2016-3104 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database. | |||||
CVE-2016-6494 | 2 Fedoraproject, Mongodb | 2 Fedora, Mongodb | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files. | |||||
CVE-2012-6619 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 6.4 MEDIUM | N/A |
The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read. | |||||
CVE-2014-3971 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 5.0 MEDIUM | N/A |
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate. |