VYPR

Bitnami package

mongodb

pkg:bitnami/mongodb

Vulnerabilities (85)

  • CVE-2024-10921Nov 14, 2024
    affected >= 5.0.0, < 5.0.30fixed 5.0.30

    An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 ve

  • CVE-2024-8305Oct 21, 2024
    affected >= 6.0.0, < 6.0.17fixed 6.0.17

    prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Se

  • CVE-2024-8654Sep 10, 2024
    affected >= 6.0.0, < 6.0.15fixed 6.0.15

    MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.

  • CVE-2024-8207Aug 27, 2024
    affected >= 5.0.0, < 5.0.26fixed 5.0.26

    In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries

  • CVE-2024-6384Aug 13, 2024
    affected >= 6.0.0, < 6.0.16fixed 6.0.16

    "Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise S

  • CVE-2024-7553Aug 7, 2024
    affected >= 5.0.0, < 5.0.27fixed 5.0.27

    Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue af

  • CVE-2024-6375Jul 1, 2024
    affected >= 5.0.0, < 5.0.22fixed 5.0.22

    A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v

  • CVE-2024-3374May 14, 2024
    affected >= 5.0.0, < 5.0.26fixed 5.0.26

    An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Serve

  • CVE-2024-3372May 14, 2024
    affected >= 5.0.0, < 5.0.25fixed 5.0.25

    Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0

  • CVE-2024-1351Mar 7, 2024
    affected >= 4.4.0, < 5.0.26fixed 5.0.26

    Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been cl

  • CVE-2023-1409MedAug 23, 2023
    affected >= 4.4.0, < 4.4.23fixed 4.4.23

    If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially all

  • CVE-2022-24272MedApr 21, 2022
    affected >= 5.0.0, < 5.0.7fixed 5.0.7

    An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and includi

  • CVE-2021-32040MedApr 12, 2022
    affected >= 4.2.0, < 4.2.16fixed 4.2.16

    It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash

  • CVE-2021-32036MedFeb 4, 2022
    affected >= 2.0.0, < 4.2.18fixed 4.2.18

    An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field

  • CVE-2021-32039MedJan 20, 2022
    affected < 0.7.1fixed 0.7.1

    Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension fo

  • CVE-2021-20330MedDec 15, 2021
    affected >= 4.0.0, < 4.0.25fixed 4.0.25

    An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2

  • CVE-2021-32037MedNov 24, 2021
    affected >= 5.0.0, < 5.0.3fixed 5.0.3

    An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to l

  • CVE-2021-20333MedJul 23, 2021
    affected >= 3.6.0, < 3.6.20fixed 3.6.20

    Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versio

  • CVE-2021-20326MedApr 30, 2021
    affected >= 4.4.0, < 4.4.4fixed 4.4.4

    A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4.

  • CVE-2020-7929MedMar 1, 2021
    affected >= 3.6.0, < 3.6.21fixed 3.6.21

    A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.

Page 4 of 5