Lucene search
K
MongodbMost viewed

146 matches found

MongoDB
MongoDB
added 2021/05/24 12:0 a.m.410 views

MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application

Specific versions of the MongoDB C Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser",...

4.9CVSS2AI score0.00623EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2023/02/21 7:39 p.m.327 views

Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution

Under very specific circumstances see Required configuration section below, a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C. This affects all MongoDB .NET/C Driver versions prior to and...

7.2CVSS6.7AI score0.01049EPSS
Exploits0References2Affected Software2
MongoDB
MongoDB
added 2021/04/30 12:0 a.m.229 views

Specially crafted query may result in a denial of service of mongod

A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.4...

6.5CVSS4.4AI score0.00948EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2021/04/06 12:0 a.m.197 views

Local privilege escalation in MongoDB Compass for Windows

A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x...

7.8CVSS6.5AI score0.00201EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/08/13 2:18 p.m.190 views

Backup files may be downloaded by underprivileged users in MongoDB Enterprise Server

"Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versio...

5.3CVSS6.7AI score0.00428EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/04/01 8:47 a.m.186 views

User may override a view's collation and gain unauthorized access to underlying data

A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version...

5.4CVSS6.9AI score0.00182EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/11/14 4:2 p.m.120 views

Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server

An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to...

8.1CVSS7.2AI score0.00537EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/04/24 4:32 p.m.112 views

Insufficient validation of external input in Compass may enable MITM attacks

MongoDB Compass may accept and use insufficiently validated input from an untrusted external source. This may cause unintended application behavior, including data disclosure and enabling attackers to impersonate users. This issue affects MongoDB Compass versions 1.35.0 to 1.40.5...

7.1CVSS6.9AI score0.00231EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/04/01 11:10 a.m.101 views

Malformed MongoDB wire protocol messages may cause mongos to crash

Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0 versions prior to...

7.5CVSS7AI score0.00414EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2021/07/23 12:0 a.m.94 views

Server log entry spoofing via newline injection

Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21; MongoDB Server v4.2 versions prior to 4.2.10;...

5.3CVSS4.9AI score0.01273EPSS
Exploits1References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 10:43 p.m.92 views

Unbounded recursion in BSONColumn interleaved-reference causes pre-auth stack overflow

A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions,...

8.7CVSS5.5AI score0.00345EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2023/08/08 10:30 a.m.82 views

Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...

7.2CVSS6.9AI score0.00614EPSS
Exploits0References3Affected Software1
MongoDB
MongoDB
added 2021/02/26 12:0 a.m.80 views

Specially crafted regex query can cause DoS

A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20...

6.5CVSS4.3AI score0.01289EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/07/07 3:6 p.m.69 views

Certain Queries with Duplicate _id Fields May Cause MongoDB Server to Crash

An authorized user can issue queries with duplicate id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0...

6.5CVSS7AI score0.00276EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2021/02/25 12:0 a.m.68 views

MongoDB Node.js client side field level encryption library may not be validating KMS certificate

A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and th...

6.8CVSS6.2AI score0.00204EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/05/20 4:18 p.m.67 views

Prototype pollution in csv parsing

Prototype pollution in csv parsing logic during import can lead to untrusted file paths but not arguments entering shell.openExternal after specific user behavior leading to "1-click" command execution...

5.3CVSS5.8AI score0.00411EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/04/01 9:16 a.m.65 views

MongoDB Server running on Linux may allow unexpected connections where intermediate certificates are revoked

A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to...

9.8CVSS7AI score0.00266EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2022/05/11 12:0 a.m.60 views

MongoDB Server (mongod) may crash in response to unexpected requests

An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6...

6.5CVSS4.2AI score0.00889EPSS
Exploits2References1Affected Software1
MongoDB
MongoDB
added 2021/06/10 12:0 a.m.56 views

Specific cstrings input may not be properly validated in the Go Driver

Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to and...

6.8CVSS3.3AI score0.00961EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/10/21 2:8 p.m.54 views

MongoDB Server secondaries may crash due to forced index constraints

prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 version...

6.5CVSS6.8AI score0.0057EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2022/04/12 12:0 a.m.54 views

Large aggregation pipelines with a specific stage can crash mongod under default configuration

It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS...

7.5CVSS2.6AI score0.0197EPSS
Exploits0References4Affected Software1
MongoDB
MongoDB
added 2021/02/26 12:0 a.m.54 views

Invariant failure when explaining a find with a UUID

A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.6; MongoDB Server v3.6 versions prior to 3.6.11...

4.9CVSS4.6AI score0.01004EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/08/07 9:55 a.m.52 views

Accessing Untrusted Directory May Allow Local Privilege Escalation

Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB...

7.8CVSS7AI score0.0026EPSS
Exploits0References3Affected Software3
MongoDB
MongoDB
added 2020/04/09 12:0 a.m.51 views

Kubernetes Operator generates potentially insecure certificates

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates ar...

6.5CVSS4.2AI score0.00668EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/07/01 2:40 p.m.50 views

Missing authorization check may lead to shard key refinement

A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, pri...

6.5CVSS6.9AI score0.00376EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/06/26 11:9 a.m.49 views

Race condition in privilege cache invalidation cycle

Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior ...

5.4CVSS7.1AI score0.00143EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2022/01/20 12:0 a.m.49 views

MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text

Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code includi...

5.5CVSS3.9AI score0.0028EPSS
Exploits0References2Affected Software1
MongoDB
MongoDB
added 2021/08/02 12:0 a.m.48 views

MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application

Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credential...

4.4CVSS2.1AI score0.00308EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2021/02/25 12:0 a.m.48 views

MongoDB Java driver client-side field level encryption not verifying KMS host name

Specific versions of the Java driver that support client-side field level encryption CSFLE fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffi...

6.8CVSS6.3AI score0.00432EPSS
Exploits0References1Affected Software4
MongoDB
MongoDB
added 2019/08/30 11:0 a.m.48 views

Code execution on Windows via OpenSSL engine injection

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue affects: MongoDB Inc. MongoDB Server 4.0 prior to...

8.2CVSS7.6AI score0.01011EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2021/04/12 12:0 a.m.46 views

Specific command line parameter might result in accepting invalid certificate

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions...

6.5CVSS2.4AI score0.00691EPSS
Exploits0References1Affected Software2
MongoDB
MongoDB
added 2024/08/27 10:23 a.m.43 views

MongoDB Server binaries may load potentially insecure shared libraries from specific relative paths

In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server...

6.7CVSS6.8AI score0.00203EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2022/02/04 12:0 a.m.43 views

Denial of Service and Data Integrity vulnerability in features command

An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions...

7.1CVSS3.1AI score0.01034EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/11/30 12:0 a.m.43 views

Denial of Service when processing malformed Role names

Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions...

7.5CVSS4.7AI score0.0166EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/02/27 1:15 p.m.42 views

MongoDB Shell may be susceptible to local privilege escalation in Windows

mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\nodemodules. This issue affects mongosh prior to 2.3.0...

7.8CVSS6.6AI score0.00138EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2023/11/07 12:41 p.m.42 views

Secret logging may occur in debug mode of Atlas Operator

The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0. Please note that thi...

7.5CVSS6.5AI score0.00598EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2021/12/15 12:0 a.m.42 views

Specific replication command with malformed oplog entries can crash secondaries

An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to...

6.5CVSS4.8AI score0.01037EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/06/05 2:32 p.m.40 views

Out-of-bounds read in bson module of PyMongo

An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory...

8.1CVSS4.7AI score0.00663EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/04/01 9:8 a.m.39 views

MongoDB Server may crash due to improper validation of explain command

When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Serve...

6.5CVSS7.2AI score0.00387EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2023/08/23 4:18 p.m.39 views

Certificate validation issue in MongoDB Server running on Windows or macOS

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms e.g. Linux, it is possible that client certificate validation may not be in effect, potentially allowing client to...

7.5CVSS6.7AI score0.00367EPSS
Exploits0References3Affected Software1
MongoDB
MongoDB
added 2020/05/13 11:0 a.m.38 views

Potential exposure of log information in Ops Manager

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5...

5.8CVSS5.3AI score0.00999EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/03/18 9:0 a.m.37 views

MongoDB C Driver bson library may be susceptible to buffer overflow

The various bsonappend functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size INT32MAX, resulting in a segmentation fault and possible application crash. This...

8.4CVSS7.2AI score0.00734EPSS
Exploits0References1Affected Software2
MongoDB
MongoDB
added 2024/05/14 2:56 p.m.37 views

MongoDB Server may have unexpected application behaviour due to invalid BSON

Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior t...

7.5CVSS7AI score0.0055EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2023/06/09 11:0 a.m.37 views

MongoDB Ops Manager may disclose sensitive information in Diagnostic Archive

MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12...

5.3CVSS4.8AI score0.00891EPSS
Exploits2References2Affected Software1
MongoDB
MongoDB
added 2020/11/30 12:0 a.m.37 views

Potential privilege escalation in Ops Manager API

Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2...

8.1CVSS5.6AI score0.01032EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/09/10 12:29 p.m.36 views

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3...

9.8CVSS6.7AI score0.00373EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/02/29 9:31 a.m.36 views

MongoDB Server may allow successful untrusted connection

Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failin...

9.8CVSS7.2AI score0.00492EPSS
Exploits0References5Affected Software1
MongoDB
MongoDB
added 2020/11/30 12:0 a.m.36 views

Invariant failure in applyOps

A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.10; v3.6 versions prior to 3.6.13...

6.5CVSS4.4AI score0.01233EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/10/28 12:57 p.m.35 views

CSFLE and Queryable Encryption self-lookup may fail to encrypt values in subpipelines

A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryp...

3.3CVSS6.8AI score0.00119EPSS
Exploits0References1Affected Software2
MongoDB
MongoDB
added 2024/01/12 2:13 p.m.35 views

MongoDB client C Driver may infinitely loop when validating certain BSON input data

When calling bsonutf8validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0...

7.5CVSS7AI score0.01103EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities146