CVE-2018-20804 — Improper Input Validation in INC Mongodb Server

CWE-20 — Improper Input Validation5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 37.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedNov 23

Latest updateMay 24

Description

A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and MongoDB Server v3.6 versions prior to 3.6.13.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5mongodb_inc/mongodb_server3.6 — 3.6.13+1

▶NVDmongodb/mongodb3.6.0 — 3.6.13+1

🔴Vulnerability Details

GHSA

GHSA-2mp4-qw33-xj6q: A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations↗2022-05-24

▶

OSV

CVE-2018-20804: A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations↗2020-11-23

▶

CVEList

Invariant failure in applyOps↗2020-11-23

▶

📋Vendor Advisories

Red Hat

mongodb: Denial of service via specially crafted applyOps invocations↗2020-11-23

▶