CVE-2019-20925 — Numeric Range Comparison Without Minimum Check in INC Mongodb Server

CWE-839 — Numeric Range Comparison Without Minimum Check CWE-697 — Incorrect Comparison6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 34.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedNov 24

Latest updateMay 24

Description

An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5mongodb_inc/mongodb_server4.2 — 4.2.1+3

▶NVDmongodb/mongodb3.4.0 — 3.4.24+3

▶Ubuntumongodb/mongodb< 1:3.6.3-0ubuntu1.4+1

Patches

Patch: jira.mongodb.org ↗Patch: jira.mongodb.org ↗

🔴Vulnerability Details

GHSA

GHSA-q4wj-8854-jvxq: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to i↗2022-05-24

▶

CVEList

Denial of service via malformed network packet↗2020-11-24

▶

OSV

CVE-2019-20925: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to i↗2020-11-24

▶

📋Vendor Advisories

Ubuntu

MongoDB vulnerability↗2021-10-04

▶

Red Hat

mongodb: DoS via malformed network packet↗2019-10-01

▶