Lucene search
K
MongodbRecent

146 matches found

MongoDB
MongoDB
•added 2024/01/12 2:13 p.m.•35 views

MongoDB client C Driver may infinitely loop when validating certain BSON input data

When calling bsonutf8validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0...

7.5CVSS7AI score0.01103EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2023/11/07 12:41 p.m.•42 views

Secret logging may occur in debug mode of Atlas Operator

The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0. Please note that thi...

7.5CVSS6.5AI score0.00598EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2023/08/29 4:21 p.m.•31 views

Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may...

7.5CVSS7AI score0.00492EPSS
Exploits0References6Affected Software5
MongoDB
MongoDB
•added 2023/08/23 4:18 p.m.•39 views

Certificate validation issue in MongoDB Server running on Windows or macOS

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms e.g. Linux, it is possible that client certificate validation may not be in effect, potentially allowing client to...

7.5CVSS6.7AI score0.00367EPSS
Exploits0References3Affected Software1
MongoDB
MongoDB
•added 2023/08/08 10:30 a.m.•82 views

Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...

7.2CVSS6.9AI score0.00614EPSS
Exploits0References3Affected Software1
MongoDB
MongoDB
•added 2023/06/09 11:0 a.m.•37 views

MongoDB Ops Manager may disclose sensitive information in Diagnostic Archive

MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12...

5.3CVSS4.8AI score0.00891EPSS
Exploits2References2Affected Software1
MongoDB
MongoDB
•added 2023/02/21 7:39 p.m.•327 views

Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution

Under very specific circumstances see Required configuration section below, a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C. This affects all MongoDB .NET/C Driver versions prior to and...

7.2CVSS6.7AI score0.01049EPSS
Exploits0References2Affected Software2
MongoDB
MongoDB
•added 2022/05/11 12:0 a.m.•60 views

MongoDB Server (mongod) may crash in response to unexpected requests

An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6...

6.5CVSS4.2AI score0.00889EPSS
Exploits2References1Affected Software1
MongoDB
MongoDB
•added 2022/04/12 12:0 a.m.•54 views

Large aggregation pipelines with a specific stage can crash mongod under default configuration

It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS...

7.5CVSS2.6AI score0.0197EPSS
Exploits0References4Affected Software1
MongoDB
MongoDB
•added 2022/02/04 12:0 a.m.•43 views

Denial of Service and Data Integrity vulnerability in features command

An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions...

7.1CVSS3.1AI score0.01034EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2022/01/20 12:0 a.m.•49 views

MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text

Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code includi...

5.5CVSS3.9AI score0.0028EPSS
Exploits0References2Affected Software1
MongoDB
MongoDB
•added 2021/12/15 12:0 a.m.•42 views

Specific replication command with malformed oplog entries can crash secondaries

An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to...

6.5CVSS4.8AI score0.01037EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2021/11/24 12:0 a.m.•31 views

User may trigger invariant when allowed to send commands directly to shards

An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shar...

6.5CVSS6.2AI score0.01181EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2021/08/02 12:0 a.m.•48 views

MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application

Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credential...

4.4CVSS2.1AI score0.00308EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2021/07/23 12:0 a.m.•94 views

Server log entry spoofing via newline injection

Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21; MongoDB Server v4.2 versions prior to 4.2.10;...

5.3CVSS4.9AI score0.01273EPSS
Exploits1References1Affected Software1
MongoDB
MongoDB
•added 2021/06/10 12:0 a.m.•56 views

Specific cstrings input may not be properly validated in the Go Driver

Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to and...

6.8CVSS3.3AI score0.00961EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2021/05/24 12:0 a.m.•410 views

MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application

Specific versions of the MongoDB C Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser",...

4.9CVSS2AI score0.00623EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2021/04/30 12:0 a.m.•229 views

Specially crafted query may result in a denial of service of mongod

A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.4...

6.5CVSS4.4AI score0.00948EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2021/04/12 12:0 a.m.•46 views

Specific command line parameter might result in accepting invalid certificate

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions...

6.5CVSS2.4AI score0.00691EPSS
Exploits0References1Affected Software2
MongoDB
MongoDB
•added 2021/04/06 12:0 a.m.•197 views

Local privilege escalation in MongoDB Compass for Windows

A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x...

7.8CVSS6.5AI score0.00201EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2021/02/26 12:0 a.m.•54 views

Invariant failure when explaining a find with a UUID

A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.6; MongoDB Server v3.6 versions prior to 3.6.11...

4.9CVSS4.6AI score0.01004EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2021/02/26 12:0 a.m.•80 views

Specially crafted regex query can cause DoS

A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20...

6.5CVSS4.3AI score0.01289EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2021/02/25 12:0 a.m.•68 views

MongoDB Node.js client side field level encryption library may not be validating KMS certificate

A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and th...

6.8CVSS6.2AI score0.00204EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2021/02/25 12:0 a.m.•48 views

MongoDB Java driver client-side field level encryption not verifying KMS host name

Specific versions of the Java driver that support client-side field level encryption CSFLE fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffi...

6.8CVSS6.3AI score0.00432EPSS
Exploits0References1Affected Software4
MongoDB
MongoDB
•added 2021/02/11 12:0 a.m.•34 views

SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager

For MongoDB Ops Manager = 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager = 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This...

6.7CVSS2.2AI score0.00139EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/12/01 12:0 a.m.•31 views

Invariant in IndexBoundsBuilder

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.2...

6.5CVSS6.3AI score0.01282EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/11/30 12:0 a.m.•31 views

$mod can result in UB

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prio...

6.5CVSS5.5AI score0.01246EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/11/30 12:0 a.m.•28 views

Invariant with $elemMatch

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10. This issue affects: MongoDB Inc. MongoDB Serve...

6.5CVSS5.1AI score0.01233EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/11/30 12:0 a.m.•43 views

Denial of Service when processing malformed Role names

Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions...

7.5CVSS4.7AI score0.0166EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/11/30 12:0 a.m.•33 views

Specific query can cause a DoS against MongoDB Server

A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects: MongoDB Server version 4.4 prior to 4.4.1. Versions before 4.4 are not affected...

6.5CVSS4.5AI score0.01391EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/11/30 12:0 a.m.•37 views

Potential privilege escalation in Ops Manager API

Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2...

8.1CVSS5.6AI score0.01032EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/11/30 12:0 a.m.•30 views

Crash while joining collections with $lookup

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15...

6.5CVSS4AI score0.01233EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/11/30 12:0 a.m.•35 views

Post-auth queries on compound index may crash mongod

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.9, v4.0 versions prior to 4.0.3...

6.5CVSS5.2AI score0.01462EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/11/30 12:0 a.m.•36 views

Invariant failure in applyOps

A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.10; v3.6 versions prior to 3.6.13...

6.5CVSS4.4AI score0.01233EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/11/30 12:0 a.m.•28 views

Crash while handling internal Javascript exception types

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions...

6.5CVSS2.9AI score0.01254EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/11/24 12:0 a.m.•32 views

Denial of service via malformed network packet

An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6...

7.5CVSS5.2AI score0.01655EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/11/23 12:0 a.m.•34 views

Improper neutralization of null byte leads to read overrun

A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior...

6.5CVSS5.2AI score0.01412EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/11/23 12:0 a.m.•35 views

Infinite loop in aggregation expression

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10;...

6.5CVSS5AI score0.01269EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/08/21 12:0 a.m.•33 views

Specific GeoQuery can cause DoS against MongoDB Server

A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc7; v4.2 versions prior to 4.2.8;...

6.5CVSS4.8AI score0.01275EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/05/13 11:0 a.m.•38 views

Potential exposure of log information in Ops Manager

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5...

5.8CVSS5.3AI score0.00999EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/05/06 11:0 a.m.•28 views

Administrative action may disable enforcement of per-user IP whitelisting

Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions...

5.3CVSS4.9AI score0.0066EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/04/09 12:0 a.m.•51 views

Kubernetes Operator generates potentially insecure certificates

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates ar...

6.5CVSS4.2AI score0.00668EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2020/03/31 11:0 a.m.•35 views

JS-bson may incorrectly serialise some requests

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to...

5.5CVSS4.7AI score0.00906EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2019/08/30 11:0 a.m.•48 views

Code execution on Windows via OpenSSL engine injection

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue affects: MongoDB Inc. MongoDB Server 4.0 prior to...

8.2CVSS7.6AI score0.01011EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2019/08/30 11:0 a.m.•34 views

Process termination via PID file manipulation

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior t...

5.3CVSS5AI score0.00305EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
•added 2019/08/06 11:0 a.m.•32 views

Authorization session conflation

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prio...

7.1CVSS6.6AI score0.01225EPSS
Exploits1References2Affected Software1
Total number of security vulnerabilities146