CVE-2018-25004 — Improper Input Validation in INC Mongodb Server

CWE-20 — Improper Input Validation5 documents5 sources

Severity

4.9MEDIUMNVD

EPSS

0.4%

top 36.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedMar 1

Latest updateMay 24

Description

A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5mongodb_inc/mongodb_server3.6 — 3.6.11+1

▶NVDmongodb/mongodb3.6.0 — 3.6.11+1

Patches

Patch: jira.mongodb.org ↗Patch: jira.mongodb.org ↗

🔴Vulnerability Details

GHSA

GHSA-q9xw-pqvh-974r: A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query↗2022-05-24

▶

CVEList

Invariant failure when explaining a find with a UUID↗2021-03-01

▶

OSV

CVE-2018-25004: A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query↗2021-03-01

▶

📋Vendor Advisories

Red Hat

mongodb: Denial of service through generic explain command on a find query↗2021-03-01

▶