Total
42 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-20923 | 1 Mongodb | 1 Mongodb | 2024-01-23 | 4.0 MEDIUM | 6.5 MEDIUM |
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects MongoDB Server v4.0 versions prior to 4.0.7. | |||||
CVE-2018-25004 | 1 Mongodb | 1 Mongodb | 2024-01-23 | 4.0 MEDIUM | 4.9 MEDIUM |
A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11. | |||||
CVE-2018-20805 | 1 Mongodb | 1 Mongodb | 2024-01-23 | 4.0 MEDIUM | 6.5 MEDIUM |
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch . This issue affects MongoDB Server v4.0 versions prior to 4.0.5 and MongoDB Server v3.6 versions prior to 3.6.10. | |||||
CVE-2018-20804 | 1 Mongodb | 1 Mongodb | 2024-01-23 | 4.0 MEDIUM | 6.5 MEDIUM |
A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and MongoDB Server v3.6 versions prior to 3.6.13. | |||||
CVE-2018-20803 | 1 Mongodb | 1 Mongodb | 2024-01-23 | 4.0 MEDIUM | 6.5 MEDIUM |
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5; MongoDB Server v3.6 versions prior to 3.6.10 and MongoDB Server v3.4 versions prior to 3.4.19. | |||||
CVE-2018-20802 | 1 Mongodb | 1 Mongodb | 2024-01-23 | 4.0 MEDIUM | 6.5 MEDIUM |
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3. | |||||
CVE-2023-1409 | 3 Apple, Microsoft, Mongodb | 3 Macos, Windows, Mongodb | 2023-12-10 | N/A | 7.5 HIGH |
If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate. This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions. | |||||
CVE-2022-24272 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6. | |||||
CVE-2015-7882 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access. | |||||
CVE-2017-2665 | 2 Mongodb, Redhat | 2 Mongodb, Storage Console | 2023-12-10 | 1.9 LOW | 7.0 HIGH |
The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. Any local user who has access to system running skyring service will be able to get password in plain text. | |||||
CVE-2017-14227 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c. | |||||
CVE-2017-15535 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory. | |||||
CVE-2014-8180 | 2 Mongodb, Redhat | 2 Mongodb, Satellite | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service. | |||||
CVE-2016-3104 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database. | |||||
CVE-2016-6494 | 2 Fedoraproject, Mongodb | 2 Fedora, Mongodb | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files. | |||||
CVE-2012-6619 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 6.4 MEDIUM | N/A |
The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read. | |||||
CVE-2014-3971 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 5.0 MEDIUM | N/A |
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate. | |||||
CVE-2015-1609 | 2 Fedoraproject, Mongodb | 2 Fedora, Mongodb | 2023-12-10 | 5.0 MEDIUM | N/A |
MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request. | |||||
CVE-2013-4650 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 6.5 MEDIUM | N/A |
MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a username of __system in an arbitrary database. | |||||
CVE-2013-3969 | 1 Mongodb | 1 Mongodb | 2023-12-10 | 6.5 MEDIUM | N/A |
The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object. |