CVE-2019-20925
published 2020-11-24CVE-2019-20925: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.65%
73.6th percentile
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | mongodb | >= 0 < 1:3.6.3-0ubuntu1.4 | 1:3.6.3-0ubuntu1.4 |
| mongodb | mongodb | >= 0 < 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3 | 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3 |
| mongodb | mongodb | >= 3.4.0 < 3.4.24 | 3.4.24 |
| mongodb | mongodb | >= 3.6.0 < 3.6.15 | 3.6.15 |
| mongodb | mongodb | >= 4.0.0 < 4.0.13 | 4.0.13 |
| mongodb | mongodb | >= 4.2.0 < 4.2.1 | 4.2.1 |
| mongodb_inc | mongodb_server | >= 3.4 < 3.4.24 | 3.4.24 |
| mongodb_inc | mongodb_server | >= 3.6 < 3.6.15 | 3.6.15 |
| mongodb_inc | mongodb_server | >= 4.0 < 4.0.13 | 4.0.13 |
| mongodb_inc | mongodb_server | >= 4.2 < 4.2.1 | 4.2.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q4wj-8854-jvxq: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to i
ghsa_unreviewed·2022-05-24
CVE-2019-20925 [HIGH] CWE-697 GHSA-q4wj-8854-jvxq: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to i
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15; v3.4 versions prior to 3.4.24.
OSV
CVE-2019-20925: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to i
osv·2020-11-24·CVSS 7.5
CVE-2019-20925 [HIGH] CVE-2019-20925: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to i
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.
Ubuntu
MongoDB vulnerability
vendor_ubuntu·2021-10-04
CVE-2019-20925 MongoDB vulnerability
Title: MongoDB vulnerability
Summary: MongoDB could be made to crash if it received specially crafted network
traffic.
It was discovered that MongoDB incorrectly handled certain wire protocol
messages. A remote attacker could possibly use this issue to cause MongoDB
to crash, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
mongodb: DoS via malformed network packet
vendor_redhat·2019-10-01·CVSS 7.5
CVE-2019-20925 [HIGH] CWE-839 mongodb: DoS via malformed network packet
mongodb: DoS via malformed network packet
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.
Package: mongodb (Red Hat Advanced Cluster Management for Kubernetes 2) - Not affected
Package: mongodb (Red Hat OpenStack Platform 10 (Newton)) - Out of support scope
Package: rh-mongodb36-mongodb (Red Hat Software Collections) - Will not fix
Package: mongodb (Red Hat Update Infrastructure 3 for Cloud Providers) - Not affected
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-11-24
Published