Bitnami package
mongodb
pkg:bitnami/mongodb
Vulnerabilities (85)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-10921 | — | >= 5.0.0, < 5.0.30 | 5.0.30 | Nov 14, 2024 | An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 ve | ||
| CVE-2024-8305 | — | >= 6.0.0, < 6.0.17 | 6.0.17 | Oct 21, 2024 | prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Se | ||
| CVE-2024-8654 | — | >= 6.0.0, < 6.0.15 | 6.0.15 | Sep 10, 2024 | MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3. | ||
| CVE-2024-8207 | — | >= 5.0.0, < 5.0.26 | 5.0.26 | Aug 27, 2024 | In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries | ||
| CVE-2024-6384 | — | >= 6.0.0, < 6.0.16 | 6.0.16 | Aug 13, 2024 | "Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise S | ||
| CVE-2024-7553 | — | >= 5.0.0, < 5.0.27 | 5.0.27 | Aug 7, 2024 | Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue af | ||
| CVE-2024-6375 | — | >= 5.0.0, < 5.0.22 | 5.0.22 | Jul 1, 2024 | A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v | ||
| CVE-2024-3374 | — | >= 5.0.0, < 5.0.26 | 5.0.26 | May 14, 2024 | An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Serve | ||
| CVE-2024-3372 | — | >= 5.0.0, < 5.0.25 | 5.0.25 | May 14, 2024 | Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 | ||
| CVE-2024-1351 | — | >= 4.4.0, < 5.0.26 | 5.0.26 | Mar 7, 2024 | Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been cl | ||
| CVE-2023-1409 | Med | 5.3 | >= 4.4.0, < 4.4.23 | 4.4.23 | Aug 23, 2023 | If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially all | |
| CVE-2022-24272 | Med | 6.5 | >= 5.0.0, < 5.0.7 | 5.0.7 | Apr 21, 2022 | An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and includi | |
| CVE-2021-32040 | Med | 6.5 | >= 4.2.0, < 4.2.16 | 4.2.16 | Apr 12, 2022 | It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash | |
| CVE-2021-32036 | Med | 5.4 | >= 2.0.0, < 4.2.18 | 4.2.18 | Feb 4, 2022 | An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field | |
| CVE-2021-32039 | Med | 5.5 | < 0.7.1 | 0.7.1 | Jan 20, 2022 | Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension fo | |
| CVE-2021-20330 | Med | 6.5 | >= 4.0.0, < 4.0.25 | 4.0.25 | Dec 15, 2021 | An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 | |
| CVE-2021-32037 | Med | 6.5 | >= 5.0.0, < 5.0.3 | 5.0.3 | Nov 24, 2021 | An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to l | |
| CVE-2021-20333 | Med | 5.3 | >= 3.6.0, < 3.6.20 | 3.6.20 | Jul 23, 2021 | Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versio | |
| CVE-2021-20326 | Med | 6.5 | >= 4.4.0, < 4.4.4 | 4.4.4 | Apr 30, 2021 | A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4. | |
| CVE-2020-7929 | Med | 6.5 | >= 3.6.0, < 3.6.21 | 3.6.21 | Mar 1, 2021 | A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20. |
- CVE-2024-10921Nov 14, 2024affected >= 5.0.0, < 5.0.30fixed 5.0.30
An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 ve
- CVE-2024-8305Oct 21, 2024affected >= 6.0.0, < 6.0.17fixed 6.0.17
prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Se
- CVE-2024-8654Sep 10, 2024affected >= 6.0.0, < 6.0.15fixed 6.0.15
MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.
- CVE-2024-8207Aug 27, 2024affected >= 5.0.0, < 5.0.26fixed 5.0.26
In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries
- CVE-2024-6384Aug 13, 2024affected >= 6.0.0, < 6.0.16fixed 6.0.16
"Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise S
- CVE-2024-7553Aug 7, 2024affected >= 5.0.0, < 5.0.27fixed 5.0.27
Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue af
- CVE-2024-6375Jul 1, 2024affected >= 5.0.0, < 5.0.22fixed 5.0.22
A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v
- CVE-2024-3374May 14, 2024affected >= 5.0.0, < 5.0.26fixed 5.0.26
An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Serve
- CVE-2024-3372May 14, 2024affected >= 5.0.0, < 5.0.25fixed 5.0.25
Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0
- CVE-2024-1351Mar 7, 2024affected >= 4.4.0, < 5.0.26fixed 5.0.26
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been cl
- affected >= 4.4.0, < 4.4.23fixed 4.4.23
If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially all
- affected >= 5.0.0, < 5.0.7fixed 5.0.7
An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and includi
- affected >= 4.2.0, < 4.2.16fixed 4.2.16
It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash
- affected >= 2.0.0, < 4.2.18fixed 4.2.18
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field
- affected < 0.7.1fixed 0.7.1
Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension fo
- affected >= 4.0.0, < 4.0.25fixed 4.0.25
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2
- affected >= 5.0.0, < 5.0.3fixed 5.0.3
An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to l
- affected >= 3.6.0, < 3.6.20fixed 3.6.20
Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versio
- affected >= 4.4.0, < 4.4.4fixed 4.4.4
A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4.
- affected >= 3.6.0, < 3.6.21fixed 3.6.21
A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.
Page 4 of 5