CVE-2020-7923 Specific GeoQuery can cause DoS against MongoDB Server

2020-08-2100:00:00

CWE-755

mongodb

www.cve.org

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.8%

JSON

A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem’s support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "MongoDB Server",
    "vendor": "MongoDB Inc.",
    "versions": [
      {
        "lessThan": "4.4.0-rc7",
        "status": "affected",
        "version": "4.4",
        "versionType": "custom"
      },
      {
        "lessThan": "4.2.8",
        "status": "affected",
        "version": "4.2",
        "versionType": "custom"
      },
      {
        "lessThan": "4.0.19",
        "status": "affected",
        "version": "4.0",
        "versionType": "custom"
      }
    ]
  }
]