Lucene search
K
MongodbMost viewed

146 matches found

MongoDB
MongoDB
added 2020/11/30 12:0 a.m.35 views

Post-auth queries on compound index may crash mongod

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.9, v4.0 versions prior to 4.0.3...

6.5CVSS5.2AI score0.01462EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/11/23 12:0 a.m.35 views

Infinite loop in aggregation expression

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10;...

6.5CVSS5AI score0.01269EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/03/31 11:0 a.m.35 views

JS-bson may incorrectly serialise some requests

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to...

5.5CVSS4.7AI score0.00906EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2021/02/11 12:0 a.m.34 views

SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager

For MongoDB Ops Manager = 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager = 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This...

6.7CVSS2.2AI score0.00139EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/11/23 12:0 a.m.34 views

Improper neutralization of null byte leads to read overrun

A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior...

6.5CVSS5.2AI score0.01412EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2019/08/30 11:0 a.m.34 views

Process termination via PID file manipulation

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior t...

5.3CVSS5AI score0.00305EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/04/29 4:51 p.m.33 views

Flaw in the updateUser Command May Allow Unauthorized Configuration Change

An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect how authentication is performed for the impacted account...

6.3CVSS5.3AI score0.00167EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/07/01 2:56 p.m.33 views

ejson shell parser in MongoDB Compass maybe bypassed

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2...

9.8CVSS7.3AI score0.0042EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/11/30 12:0 a.m.33 views

Specific query can cause a DoS against MongoDB Server

A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects: MongoDB Server version 4.4 prior to 4.4.1. Versions before 4.4 are not affected...

6.5CVSS4.5AI score0.01391EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/08/21 12:0 a.m.33 views

Specific GeoQuery can cause DoS against MongoDB Server

A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc7; v4.2 versions prior to 4.2.8;...

6.5CVSS4.8AI score0.01275EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/05/18 3:40 p.m.32 views

Calling createIndex with certain index types can crash mongod

Creating a "2dspherebucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A similar issue occurs when creating "queryableencryptedrange" indices. This issue affects MongoDB Server...

7.1CVSS5.8AI score0.00235EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2019/08/06 11:0 a.m.32 views

Authorization session conflation

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prio...

7.1CVSS6.6AI score0.01225EPSS
Exploits1References2Affected Software1
MongoDB
MongoDB
added 2024/07/02 5:17 p.m.31 views

Adversarial unsanitized input may cause MongoDB Rust Driver to issue unintended commands.

Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2...

7.5CVSS6.8AI score0.00277EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2023/08/29 4:21 p.m.31 views

Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may...

7.5CVSS7AI score0.00492EPSS
Exploits0References6Affected Software5
MongoDB
MongoDB
added 2021/11/24 12:0 a.m.31 views

User may trigger invariant when allowed to send commands directly to shards

An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shar...

6.5CVSS6.2AI score0.01181EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/12/01 12:0 a.m.31 views

Invariant in IndexBoundsBuilder

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.2...

6.5CVSS6.3AI score0.01282EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/11/30 12:0 a.m.31 views

$mod can result in UB

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prio...

6.5CVSS5.5AI score0.01246EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/11/24 12:0 a.m.32 views

Denial of service via malformed network packet

An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6...

7.5CVSS5.2AI score0.01655EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/05/14 2:55 p.m.30 views

MongoDB Server (mongod) may crash when generating ftdc

An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions...

5.3CVSS7.1AI score0.00457EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/11/30 12:0 a.m.30 views

Crash while joining collections with $lookup

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15...

6.5CVSS4AI score0.01233EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/06/26 1:59 p.m.28 views

Running certain aggregation operations with the SBE engine may lead to unexpected behavior on MongoDB Server

An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server. The crash is triggered on affected versions by issuing an aggregation framework operation using a specific...

8.8CVSS6.9AI score0.00214EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/11/30 12:0 a.m.28 views

Crash while handling internal Javascript exception types

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions...

6.5CVSS2.9AI score0.01254EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/11/30 12:0 a.m.28 views

Invariant with $elemMatch

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10. This issue affects: MongoDB Inc. MongoDB Serve...

6.5CVSS5.1AI score0.01233EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2020/05/06 11:0 a.m.28 views

Administrative action may disable enforcement of per-user IP whitelisting

Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions...

5.3CVSS4.9AI score0.0066EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/07/07 2:40 p.m.25 views

Incomplete Redaction of Sensitive Information in MongoDB Server Logs

An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0...

4.9CVSS7AI score0.00239EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/07/03 9:33 p.m.25 views

MongoDB C Driver bson_string_append may be vulnerable to a buffer overflow

The bsonstringappend function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1...

5.3CVSS7.5AI score0.00625EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/02/27 1:8 p.m.24 views

MongoDB Compass may be susceptible to local privilege escalation in Windows

MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\nodemodules. This issue affects MongoDB Compass prior to 1.42.1...

7.8CVSS6.6AI score0.00138EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/02/27 12:31 p.m.24 views

MongoDB Shell may be susceptible to Control Character Injection via autocomplete

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete...

7.6CVSS7.1AI score0.00287EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2024/07/02 5:5 p.m.24 views

MongoDB C Driver bson_strfreev may be susceptible to integer overflow

The bsonstrfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2...

5.3CVSS7AI score0.00392EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/06/26 11:40 a.m.22 views

Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB

MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which coul...

7.5CVSS7.4AI score0.00307EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/05/12 11:59 p.m.21 views

FlatBSON Duplicate Field Index Drift

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series...

8.8CVSS6.1AI score0.0057EPSS
Exploits1References1Affected Software1
MongoDB
MongoDB
added 2025/12/19 11:0 a.m.20 views

Zlib compressed protocol header length confusion may allow memory read

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3,...

8.7CVSS7AI score0.83007EPSS
Exploits39References1Affected Software1
MongoDB
MongoDB
added 2025/02/27 12:35 p.m.19 views

MongoDB Shell may be susceptible to control character injection via pasting

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue...

8.8CVSS7.2AI score0.00224EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/12 1:57 a.m.18 views

Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript for example, via $where or $function can cause the server to access...

8.8CVSS5.5AI score0.00384EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/05/13 12:8 a.m.18 views

Schema validation log messages may not redact user data

When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 version...

5.3CVSS5.8AI score0.00204EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/07/07 2:45 p.m.16 views

MongoDB Server may be susceptible to privilege escalation due to $mergeCursors stage

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB...

7.7CVSS6.9AI score0.00336EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/11/18 8:21 p.m.15 views

Bulk write with options may read invalid memory

A mongocbulkoperationt may read invalid memory if large options are passed...

6.9CVSS6.9AI score0.0019EPSS
Exploits0References3Affected Software2
MongoDB
MongoDB
added 2026/06/09 10:33 p.m.14 views

Stack memory disclosure in filemd5 command

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command...

7.1CVSS5.5AI score0.00224EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/05/14 9:27 p.m.14 views

PHP Stack Exhaustion

Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server...

6CVSS5.8AI score0.00311EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/11/03 9:3 p.m.14 views

Malformed KMIP response may result in access violation

The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations...

5.9CVSS6.9AI score0.00357EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/07/07 2:45 p.m.14 views

Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections

MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20 and MongoDB Serve...

7.5CVSS7.2AI score0.00307EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 10:40 p.m.13 views

Keyfile contents are in MongoDB Server logs

MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction...

6.8CVSS5.5AI score0.00119EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 10:30 p.m.13 views

Server crash via malformed binary diff passed to $_internalApplyOplogUpdate.

The $internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command...

8.1CVSS5.6AI score0.00298EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 10:27 p.m.13 views

GeometryCollection with strict-winding polygon causes server crash during 2dsphere index key generation

An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS. Strict-winding polygons are intentionally unsupported for indexing, but the guard that rejects them does not...

7.1CVSS5.4AI score0.0027EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 10:2 p.m.13 views

Server crashes in case of the use of exchange

When using $changestreams and $requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement...

7.1CVSS5.4AI score0.0027EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/05/20 3:55 p.m.13 views

Heap memory out of bounds read and crash in C Driver legacy GridFS file reader

The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash via a division-by-zero or silently leak process memo...

6CVSS5.8AI score0.00281EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/05/13 12:12 a.m.13 views

Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields

A use-after-free vulnerability exists in MongoDB's Field-Level Encryption FLE query analysis component, affecting client-side uses of mongocryptd and cryptshared. Triggering this vulnerability requires control over the structure of a client's FLE-related query. This issue impacts MongoDB Server’s...

8.8CVSS5.8AI score0.00129EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/02/10 6:5 p.m.13 views

Internal ResourceId collision may affect unrelated collections

The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks...

7.1CVSS5.5AI score0.00199EPSS
Exploits0References2Affected Software1
MongoDB
MongoDB
added 2025/09/15 4:4 p.m.13 views

MongoDB Windows installation MSI may leave ACLs unset on custom installation directories

The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to MongoDB's process via DLL hijacking. This issue affects MongoDB Server v6.0 version prior to 6.0.25, MongoDB Server v7.0 version prior to 7.0.21 a...

7.8CVSS6.9AI score0.00111EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 10:5 p.m.12 views

Crafted cross-shard merge aggregation crashes MongoDB Server

Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server...

7.1CVSS5.4AI score0.0027EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities146