BIT-MONGODB-2022-24272 MongoDB Server (mongod) may crash in response to unexpected requests

An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6...

GHSA-6CWM-WM82-HGRW MongoDB Tools Improper Certificate Validation vulnerability

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions...

MongoDB Server (mongod) may crash in response to unexpected requests

An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6...

Input validation

An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6...

CVE-2020-7924

Removed by vendor...

Specific command line parameter might result in accepting invalid certificate

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions...

Design/Logic Flaw

A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x...

CVE-2021-20334 Local privilege escalation in MongoDB Compass for Windows

A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x...

Post-auth queries on compound index may crash mongod

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.9, v4.0 versions prior to 4.0.3...

CVE-2018-20803

CVE-2018-20803 affects MongoDB Server: 4.0 prior to 4.0.5; 3.6 prior to 3.6.10; 3.4 prior to 3.4.19. Description: authenticated user can trigger a denial-of-service by sending specially crafted queries, causing an endless loop in mathematics processing while holding locks. Impact: availability de...

CVE-2019-20923

CVE-2019-20923 affects MongoDB Server v4.0.x prior to 4.0.7. A user authorized to perform database queries can trigger a denial-of-service by issuing specially crafted queries that cause unhandled Javascript exceptions confined to the JS engine internals. Affected component: MongoDB Server (v4.0.x

CVE-2019-2392 $mod can result in undefined behavior

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prio...

CVE-2020-7925

Removed by vendor...

CVE-2020-7925

Mode C: CVE-2020-7925 is a MongoDB Denial of Service due to incorrect validation of user input in the role name parser. The vulnerability allows an unauthenticated attacker to send a specially crafted request to cause a DoS. Affected are MongoDB Server v4.4 before 4.4.0-rc12 and v4.2 before 4.2.9...

CVE-2019-2388

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5...

CVE-2019-2388 Potential exposure of log information in Ops Manager

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5...

Design/Logic Flaw

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to...

CVE-2019-2391 JS-bson may incorrectly serialise some requests

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to...