Mongodb Inc Mongodb Server vulnerabilities

CVE-2024-8207 [MEDIUM] CWE-114 CVE-2024-8207: In certain highly specific configurations of the host system and MongoDB server binary installation In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintende

CVE-2024-6384 [MEDIUM] CWE-285 CVE-2024-6384: "Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a un "Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3

CVE-2024-7553 [HIGH] CWE-284 CVE-2024-7553: Incorrect validation of files loaded from a local untrusted directory may allow local privilege esca Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 ver

CVE-2024-6375 [MEDIUM] CWE-285 CVE-2024-6375: A command for refining a collection shard key is missing an authorization check. This may cause the A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.

CVE-2024-3372 [HIGH] CWE-20 CVE-2024-3372: Improper validation of certain metadata input may result in the server not correctly serialising BSO Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and M

CVE-2024-3374 [MEDIUM] CWE-617 CVE-2024-3374: An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5.

CVE-2024-1351 [CRITICAL] CWE-295 CVE-2024-1351: Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB S

CVE-2023-1409 [HIGH] CWE-295 CVE-2023-1409: If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of co If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies an

CVE-2022-24272 [MEDIUM] CWE-617 CVE-2022-24272: An authenticated user may trigger an invariant assertion during command dispatch due to incorrect va An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.

CVE-2021-32040 [HIGH] CWE-121 CVE-2021-32040: It may be possible to have an extremely long aggregation pipeline in conjunction with a specific sta It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4

CVE-2021-32036 [HIGH] CWE-770 CVE-2021-32036: An authenticated user without any specific authorizations may be able to repeatedly invoke the featu An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and

CVE-2021-20330 [MEDIUM] CWE-20 CVE-2021-20330: An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.

CVE-2021-32037 [MEDIUM] CWE-617 CVE-2021-32037: An authorized user may trigger an invariant which may result in denial of service or server exit if An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment. This issue affects M

CVE-2021-20333 [MEDIUM] CWE-117 CVE-2021-20333: Sending specially crafted commands to a MongoDB Server may result in artificial log entries being ge Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10.

CVE-2021-20326 [MEDIUM] CWE-20 CVE-2021-20326: A user authorized to performing a specific type of find query may trigger a denial of service. This A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4.

CVE-2020-7929 [MEDIUM] CWE-185 CVE-2020-7929: A user authorized to perform database queries may trigger denial of service by issuing specially cra A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.

CVE-2018-25004 [MEDIUM] CWE-20 CVE-2018-25004: A user authorized to performing a specific type of query may trigger a denial of service by issuing A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11.

CVE-2019-20925 [HIGH] CWE-839 CVE-2019-20925: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol m An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v

CVE-2020-7925 [HIGH] CWE-475 CVE-2020-7925: Incorrect validation of user input in the role name parser may lead to use of uninitialized memory a Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc12; MongoDB Server v4.2 versions prior to 4.2.9.

CVE-2020-7926 [MEDIUM] CWE-755 CVE-2020-7926: A user authorized to perform database queries may cause denial of service by issuing a specially cra A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects MongoDB Server v4.4 versions prior to 4.4.1. Versions before 4.4 are not affected.