CVE-2019-2392 $mod can result in undefined behavior

2020-11-2315:25:14

CWE-190

mongodb

www.cve.org

cve-2019-2392

mongodb server

denial of service

database queries

overflow

mongodb inc.

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

29.8%

JSON

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "MongoDB Server",
    "vendor": "MongoDB Inc.",
    "versions": [
      {
        "lessThan": "3.6.20",
        "status": "affected",
        "version": "3.6",
        "versionType": "custom"
      },
      {
        "lessThan": "4.0.20",
        "status": "affected",
        "version": "4.0",
        "versionType": "custom"
      },
      {
        "lessThan": "4.2.9",
        "status": "affected",
        "version": "4.2",
        "versionType": "custom"
      },
      {
        "lessThan": "4.4.1",
        "status": "affected",
        "version": "4.4",
        "versionType": "custom"
      }
    ]
  }
]