CVE-2018-20803 — Infinite Loop in INC Mongodb Server

CWE-835 — Infinite Loop5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 37.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedNov 23

Latest updateMay 24

Description

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5; MongoDB Server v3.6 versions prior to 3.6.10 and MongoDB Server v3.4 versions prior to 3.4.19.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5mongodb_inc/mongodb_server4.0 — 4.0.5+2

▶NVDmongodb/mongodb3.4.0 — 3.4.19+2

Patches

Patch: jira.mongodb.org ↗Patch: jira.mongodb.org ↗

🔴Vulnerability Details

GHSA

GHSA-w7g3-8fq6-h7f2: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathemati↗2022-05-24

▶

CVEList

Infinite loop in aggregation expression↗2020-11-23

▶

OSV

CVE-2018-20803: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathemati↗2020-11-23

▶

📋Vendor Advisories

Red Hat

mongodb: Infinite loop in aggregation expression↗2020-11-23

▶