CVE-2018-20802 — Unexpected Status Code or Return Value in INC Mongodb Server

CWE-394 — Unexpected Status Code or Return Value CWE-393 — Return of Wrong Status Code6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 37.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedNov 23

Latest updateFeb 25

Description

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5mongodb_inc/mongodb_server3.6 — 3.6.9+1

▶NVDmongodb/mongodb3.6.0 — 3.6.9+1

▶Ubuntumongodb/mongodb< 1:3.6.3-0ubuntu1.4+esm1

🔴Vulnerability Details

GHSA

GHSA-g6mr-mvf4-4wvj: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting Query↗2022-05-24

▶

OSV

CVE-2018-20802: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting Query↗2020-11-23

▶

CVEList

Post-auth queries on compound index may crash mongod↗2020-11-23

▶

📋Vendor Advisories

Ubuntu

MongoDB vulnerabilities↗2026-02-25

▶

Red Hat

mongodb: Denial of service via crafted queries with compound indexes affecting QueryPlanner↗2020-11-23

▶