CVE-2020-7925Undefined Behavior for Input to API in INC Mongodb Server

CWE-475Undefined Behavior for Input to APICWE-20Improper Input Validation5 documents5 sources
Severity
7.5HIGHNVD
EPSS
1.7%
top 17.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC Mongodb ServerMongodb
Timeline
PublishedNov 23
Latest updateMay 24

Description

Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc12; MongoDB Server v4.2 versions prior to 4.2.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5mongodb_inc/mongodb_server4.24.2.9+1
NVDmongodb/mongodb4.2.04.2.9+1

🔴Vulnerability Details

3
GHSA
GHSA-v8v4-4v92-48h2: Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a speci2022-05-24
OSV
CVE-2020-7925: Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a speci2020-11-23
CVEList
Denial of Service when processing malformed Role names2020-11-23

📋Vendor Advisories

1
Red Hat
mongodb: Incorrect validation of user input in the role name parser2020-11-23
CVE-2020-7925 — Undefined Behavior for Input to API | cvebase