VYPR

MongoDB Server

by MongoDB

CVEs (15)

  • CVE-2019-2390HigAug 30, 2019
    risk 0.53cvss 8.2epss 0.01

    An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions…

  • CVE-2022-24272MedApr 21, 2022
    risk 0.42cvss 6.5epss 0.01

    An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and…

  • CVE-2021-32040MedApr 12, 2022
    risk 0.42cvss 6.5epss 0.02

    It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously…

  • CVE-2021-20330MedDec 15, 2021
    risk 0.42cvss 6.5epss 0.01

    An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2…

  • CVE-2021-32037MedNov 24, 2021
    risk 0.42cvss 6.5epss 0.01

    An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to…

  • CVE-2021-20326MedApr 30, 2021
    risk 0.42cvss 6.5epss 0.01

    A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4.

  • CVE-2019-20925HigNov 24, 2020
    risk 0.42cvss 7.5epss 0.02

    An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to…

  • CVE-2020-7928MedNov 23, 2020
    risk 0.42cvss 6.5epss 0.01

    A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4.1; MongoDB Server v4.2 versions prior to 4.2.9; MongoDB Server v4.0 versions…

  • CVE-2019-2392MedNov 23, 2020
    risk 0.42cvss 6.5epss 0.01

    A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9;…

  • CVE-2020-7926MedNov 23, 2020
    risk 0.42cvss 6.5epss 0.01

    A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects MongoDB Server v4.4 versions prior to 4.4.1. Versions before 4.4 are not affected.

  • CVE-2020-7923MedAug 21, 2020
    risk 0.42cvss 6.5epss 0.01

    A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2…

  • CVE-2019-20923MedNov 23, 2020
    risk 0.35cvss 6.5epss 0.01

    A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects MongoDB Server v4.0…

  • CVE-2023-1409MedAug 23, 2023
    risk 0.34cvss 5.3epss 0.00

    If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially…

  • CVE-2019-2389MedAug 30, 2019
    risk 0.34cvss 5.3epss 0.00

    Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions…

  • CVE-2020-7921MedMay 6, 2020
    risk 0.30cvss 4.6epss 0.01

    Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2…