Vendor CVEs
MongoDB
All CVEs
131 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2013-1892 | 0.07 | — | 0.45 | Oct 1, 2013 | MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted… | |||
| CVE-2026-4359 | Low | 0.06 | 2.0 | 0.00 | Mar 17, 2026 | A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver. | ||
| CVE-2013-3969 | 0.04 | — | 0.10 | Oct 1, 2013 | The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object. | |||
| CVE-2026-25613 | 0.00 | — | 0.00 | Feb 10, 2026 | An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index. | |||
| CVE-2026-1849 | 0.00 | — | 0.00 | Feb 10, 2026 | MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression. | |||
| CVE-2026-1850 | 0.00 | — | 0.00 | Feb 10, 2026 | Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash. | |||
| CVE-2025-14345 | 0.00 | — | 0.00 | Dec 9, 2025 | A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause… | |||
| CVE-2025-13644 | 0.00 | — | 0.00 | Nov 25, 2025 | MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue… | |||
| CVE-2025-13643 | 0.00 | — | 0.00 | Nov 25, 2025 | A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB… | |||
| CVE-2025-12893 | 0.00 | — | 0.00 | Nov 25, 2025 | Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may… | |||
| CVE-2025-13507 | 0.00 | — | 0.00 | Nov 25, 2025 | Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination. This issue impacts MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.16… | |||
| CVE-2025-12119 | 0.00 | — | 0.00 | Nov 18, 2025 | A mongoc_bulk_operation_t may read invalid memory if large options are passed. | |||
| CVE-2025-11695 | 0.00 | — | 0.00 | Oct 13, 2025 | When tlsInsecure=False appears in a connection string, certificate validation is disabled. This vulnerability affects MongoDB Rust Driver versions prior to v3.2.5 | |||
| CVE-2025-10061 | 0.00 | — | 0.00 | Sep 5, 2025 | An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability… | |||
| CVE-2025-10060 | 0.00 | — | 0.00 | Sep 5, 2025 | MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects… | |||
| CVE-2025-10059 | 0.00 | — | 0.00 | Sep 5, 2025 | An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0… | |||
| CVE-2025-7259 | 0.00 | — | 0.00 | Jul 7, 2025 | An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0. | |||
| CVE-2025-6714 | 0.00 | — | 0.00 | Jul 7, 2025 | MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20… | |||
| CVE-2025-6713 | 0.00 | — | 0.00 | Jul 7, 2025 | An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB… | |||
| CVE-2025-6712 | 0.00 | — | 0.00 | Jul 7, 2025 | MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than… | |||
| CVE-2025-6711 | 0.00 | — | 0.00 | Jul 7, 2025 | An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB… | |||
| CVE-2025-6710 | 0.00 | — | 0.00 | Jun 26, 2025 | MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server… | |||
| CVE-2025-6709 | 0.00 | — | 0.00 | Jun 26, 2025 | The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and… | |||
| CVE-2025-6707 | 0.00 | — | 0.00 | Jun 26, 2025 | Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server… | |||
| CVE-2025-6706 | 0.00 | — | 0.00 | Jun 26, 2025 | An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server. The crash is triggered on affected versions by issuing an aggregation framework operation… | |||
| CVE-2025-3085 | 0.00 | — | 0.00 | Apr 1, 2025 | A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this… | |||
| CVE-2025-3084 | 0.00 | — | 0.00 | Apr 1, 2025 | When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16… | |||
| CVE-2025-3083 | 0.00 | — | 0.00 | Apr 1, 2025 | Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0… | |||
| CVE-2025-3082 | 0.00 | — | 0.00 | Apr 1, 2025 | A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB… | |||
| CVE-2025-0755 | 0.00 | — | 0.01 | Mar 18, 2025 | The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible… | |||
| CVE-2024-10921 | 0.00 | — | 0.01 | Nov 14, 2024 | An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0… | |||
| CVE-2024-8305 | 0.00 | — | 0.01 | Oct 21, 2024 | prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB… | |||
| CVE-2024-8654 | 0.00 | — | 0.00 | Sep 10, 2024 | MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3. | |||
| CVE-2024-8207 | 0.00 | — | 0.00 | Aug 27, 2024 | In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared… | |||
| CVE-2024-6384 | 0.00 | — | 0.00 | Aug 13, 2024 | "Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise… | |||
| CVE-2024-7553 | 0.00 | — | 0.00 | Aug 7, 2024 | Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue… | |||
| CVE-2024-6381 | 0.00 | — | 0.00 | Jul 2, 2024 | The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2 | |||
| CVE-2024-6375 | 0.00 | — | 0.00 | Jul 1, 2024 | A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server… | |||
| CVE-2024-3374 | 0.00 | — | 0.00 | May 14, 2024 | An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB… | |||
| CVE-2024-3372 | 0.00 | — | 0.01 | May 14, 2024 | Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server… | |||
| CVE-2024-1351 | 0.00 | — | 0.01 | Mar 7, 2024 | Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been… | |||
| CVE-2023-0437 | 0.00 | — | 0.01 | Jan 12, 2024 | When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0. | |||
| CVE-2023-0436 | 0.00 | — | 0.01 | Nov 7, 2023 | The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0. … | |||
| CVE-2023-1409 | 0.00 | — | 0.00 | Aug 23, 2023 | If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially… | |||
| CVE-2022-24272 | 0.00 | — | 0.01 | Apr 21, 2022 | An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and… | |||
| CVE-2021-32040 | 0.00 | — | 0.02 | Apr 12, 2022 | It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously… | |||
| CVE-2021-32036 | 0.00 | — | 0.01 | Feb 4, 2022 | An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field… | |||
| CVE-2021-32039 | 0.00 | — | 0.00 | Jan 20, 2022 | Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension… | |||
| CVE-2021-20330 | 0.00 | — | 0.01 | Dec 15, 2021 | An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2… | |||
| CVE-2021-32037 | 0.00 | — | 0.01 | Nov 24, 2021 | An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to… |
- CVE-2013-1892Oct 1, 2013risk 0.07cvss —epss 0.45
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted…
- risk 0.06cvss 2.0epss 0.00
A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver.
- CVE-2013-3969Oct 1, 2013risk 0.04cvss —epss 0.10
The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object.
- CVE-2026-25613Feb 10, 2026risk 0.00cvss —epss 0.00
An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.
- CVE-2026-1849Feb 10, 2026risk 0.00cvss —epss 0.00
MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.
- CVE-2026-1850Feb 10, 2026risk 0.00cvss —epss 0.00
Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.
- CVE-2025-14345Dec 9, 2025risk 0.00cvss —epss 0.00
A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause…
- CVE-2025-13644Nov 25, 2025risk 0.00cvss —epss 0.00
MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue…
- CVE-2025-13643Nov 25, 2025risk 0.00cvss —epss 0.00
A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB…
- CVE-2025-12893Nov 25, 2025risk 0.00cvss —epss 0.00
Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may…
- CVE-2025-13507Nov 25, 2025risk 0.00cvss —epss 0.00
Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination. This issue impacts MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.16…
- CVE-2025-12119Nov 18, 2025risk 0.00cvss —epss 0.00
A mongoc_bulk_operation_t may read invalid memory if large options are passed.
- CVE-2025-11695Oct 13, 2025risk 0.00cvss —epss 0.00
When tlsInsecure=False appears in a connection string, certificate validation is disabled. This vulnerability affects MongoDB Rust Driver versions prior to v3.2.5
- CVE-2025-10061Sep 5, 2025risk 0.00cvss —epss 0.00
An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability…
- CVE-2025-10060Sep 5, 2025risk 0.00cvss —epss 0.00
MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects…
- CVE-2025-10059Sep 5, 2025risk 0.00cvss —epss 0.00
An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0…
- CVE-2025-7259Jul 7, 2025risk 0.00cvss —epss 0.00
An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0.
- CVE-2025-6714Jul 7, 2025risk 0.00cvss —epss 0.00
MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20…
- CVE-2025-6713Jul 7, 2025risk 0.00cvss —epss 0.00
An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB…
- CVE-2025-6712Jul 7, 2025risk 0.00cvss —epss 0.00
MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than…
- CVE-2025-6711Jul 7, 2025risk 0.00cvss —epss 0.00
An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB…
- CVE-2025-6710Jun 26, 2025risk 0.00cvss —epss 0.00
MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server…
- CVE-2025-6709Jun 26, 2025risk 0.00cvss —epss 0.00
The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and…
- CVE-2025-6707Jun 26, 2025risk 0.00cvss —epss 0.00
Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server…
- CVE-2025-6706Jun 26, 2025risk 0.00cvss —epss 0.00
An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server. The crash is triggered on affected versions by issuing an aggregation framework operation…
- CVE-2025-3085Apr 1, 2025risk 0.00cvss —epss 0.00
A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this…
- CVE-2025-3084Apr 1, 2025risk 0.00cvss —epss 0.00
When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16…
- CVE-2025-3083Apr 1, 2025risk 0.00cvss —epss 0.00
Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0…
- CVE-2025-3082Apr 1, 2025risk 0.00cvss —epss 0.00
A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB…
- CVE-2025-0755Mar 18, 2025risk 0.00cvss —epss 0.01
The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible…
- CVE-2024-10921Nov 14, 2024risk 0.00cvss —epss 0.01
An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0…
- CVE-2024-8305Oct 21, 2024risk 0.00cvss —epss 0.01
prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB…
- CVE-2024-8654Sep 10, 2024risk 0.00cvss —epss 0.00
MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.
- CVE-2024-8207Aug 27, 2024risk 0.00cvss —epss 0.00
In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared…
- CVE-2024-6384Aug 13, 2024risk 0.00cvss —epss 0.00
"Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise…
- CVE-2024-7553Aug 7, 2024risk 0.00cvss —epss 0.00
Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue…
- CVE-2024-6381Jul 2, 2024risk 0.00cvss —epss 0.00
The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2
- CVE-2024-6375Jul 1, 2024risk 0.00cvss —epss 0.00
A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server…
- CVE-2024-3374May 14, 2024risk 0.00cvss —epss 0.00
An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB…
- CVE-2024-3372May 14, 2024risk 0.00cvss —epss 0.01
Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server…
- CVE-2024-1351Mar 7, 2024risk 0.00cvss —epss 0.01
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been…
- CVE-2023-0437Jan 12, 2024risk 0.00cvss —epss 0.01
When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.
- CVE-2023-0436Nov 7, 2023risk 0.00cvss —epss 0.01
The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0. …
- CVE-2023-1409Aug 23, 2023risk 0.00cvss —epss 0.00
If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially…
- CVE-2022-24272Apr 21, 2022risk 0.00cvss —epss 0.01
An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and…
- CVE-2021-32040Apr 12, 2022risk 0.00cvss —epss 0.02
It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously…
- CVE-2021-32036Feb 4, 2022risk 0.00cvss —epss 0.01
An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field…
- CVE-2021-32039Jan 20, 2022risk 0.00cvss —epss 0.00
Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension…
- CVE-2021-20330Dec 15, 2021risk 0.00cvss —epss 0.01
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2…
- CVE-2021-32037Nov 24, 2021risk 0.00cvss —epss 0.01
An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to…
Page 2 of 3