CVE-2018-20802
published 2020-11-23CVE-2018-20802: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner…
PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.46%
70.3th percentile
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | mongodb | >= 0 < 1:2.4.9-1ubuntu2+esm2 | 1:2.4.9-1ubuntu2+esm2 |
| mongodb | mongodb | >= 0 < 1:2.6.10-0ubuntu1+esm2 | 1:2.6.10-0ubuntu1+esm2 |
| mongodb | mongodb | >= 0 < 1:3.6.3-0ubuntu1.4+esm1 | 1:3.6.3-0ubuntu1.4+esm1 |
| mongodb | mongodb | >= 3.6.0 < 3.6.9 | 3.6.9 |
| mongodb | mongodb | >= 4.0.0 < 4.0.3 | 4.0.3 |
| mongodb_inc | mongodb_server | >= 3.6 < 3.6.9 | 3.6.9 |
| mongodb_inc | mongodb_server | >= 4.0 < 4.0.3 | 4.0.3 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
MongoDB vulnerabilities
vendor_ubuntu·2026-02-25·CVSS 5.0
CVE-2018-20802 [MEDIUM] MongoDB vulnerabilities
Title: MongoDB vulnerabilities
Summary: Several security issues were fixed in MongoDB.
Eliot Horowitz discovered that MongoDB may fail to validate some instances
of malformed BSON. A remote attacker could possibly use this issue to cause
MongoDB to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS. (CVE-2015-1609)
It was discovered that MongoDB read raw permissions from .dbshell history
files. A local attacker could possibly use this issue to obtain sensitive
information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04
LTS. (CVE-2016-6494)
Travis Brown discovered that MongoDB may be unable to parse specially
crafted UTF-8 strings in BSON requests. A remote attacker could possibly
use this issue to cause MongoDB to crash, resulting in a denial
Red Hat
mongodb: Denial of service via crafted queries with compound indexes affecting QueryPlanner
vendor_redhat·2020-11-23·CVSS 6.5
CVE-2018-20802 [MEDIUM] CWE-393 mongodb: Denial of service via crafted queries with compound indexes affecting QueryPlanner
mongodb: Denial of service via crafted queries with compound indexes affecting QueryPlanner
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3.
Package: mongodb (Red Hat Advanced Cluster Management for Kubernetes 2) - Not affected
Package: mongodb (Red Hat OpenStack Platform 10 (Newton)) - Out of support scope
Package: rh-mongodb36-mongodb (Red Hat Software Collections) - Will not fix
Package: mongodb (Red Hat Update Infrastructure 3 for Cloud Providers) - Not affected
OSV
mongodb vulnerabilities
osv·2026-02-25·CVSS 5.0
CVE-2015-1609 [MEDIUM] mongodb vulnerabilities
mongodb vulnerabilities
Eliot Horowitz discovered that MongoDB may fail to validate some instances
of malformed BSON. A remote attacker could possibly use this issue to cause
MongoDB to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS. (CVE-2015-1609)
It was discovered that MongoDB read raw permissions from .dbshell history
files. A local attacker could possibly use this issue to obtain sensitive
information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04
LTS. (CVE-2016-6494)
Travis Brown discovered that MongoDB may be unable to parse specially
crafted UTF-8 strings in BSON requests. A remote attacker could possibly
use this issue to cause MongoDB to crash, resulting in a denial of service.
This issue only affected Ubuntu 18.04 LTS. (CVE-201
GHSA
GHSA-g6mr-mvf4-4wvj: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting Query
ghsa_unreviewed·2022-05-24
CVE-2018-20802 [MEDIUM] CWE-394 GHSA-g6mr-mvf4-4wvj: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting Query
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.9, v4.0 versions prior to 4.0.3.
OSV
CVE-2018-20802: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting Query
osv·2020-11-23·CVSS 6.5
CVE-2018-20802 [MEDIUM] CVE-2018-20802: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting Query
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-11-23
Published