VYPR

Vendor CVEs

MongoDB

All CVEs

131 total · sorted by risk
  • CVE-2021-20333Jul 23, 2021
    risk 0.00cvss epss 0.01

    Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2…

  • CVE-2021-20326Apr 30, 2021
    risk 0.00cvss epss 0.01

    A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4.

  • CVE-2021-20334Apr 6, 2021
    risk 0.00cvss epss 0.00

    A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and…

  • CVE-2020-7929Mar 1, 2021
    risk 0.00cvss epss 0.01

    A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.

  • CVE-2021-20335Feb 11, 2021
    risk 0.00cvss epss 0.00

    For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being…

  • CVE-2019-20925Nov 24, 2020
    risk 0.00cvss epss 0.02

    An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to…

  • CVE-2018-20803Nov 23, 2020
    risk 0.00cvss epss 0.01

    A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5; MongoDB Server v3.6 versions…

  • CVE-2020-7928Nov 23, 2020
    risk 0.00cvss epss 0.01

    A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4.1; MongoDB Server v4.2 versions prior to 4.2.9; MongoDB Server v4.0 versions…

  • CVE-2019-2393Nov 23, 2020
    risk 0.00cvss epss 0.01

    A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13 and MongoDB Server…

  • CVE-2019-20923Nov 23, 2020
    risk 0.00cvss epss 0.01

    A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects MongoDB Server v4.0…

  • CVE-2019-20924Nov 23, 2020
    risk 0.00cvss epss 0.01

    A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Server v4.2 versions prior to 4.2.2.

  • CVE-2019-2392Nov 23, 2020
    risk 0.00cvss epss 0.01

    A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9;…

  • CVE-2018-20805Nov 23, 2020
    risk 0.00cvss epss 0.01

    A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch . This issue affects MongoDB Server v4.0 versions prior to 4.0.5 and MongoDB Server v3.6 versions prior to 3.6.10.

  • CVE-2018-20802Nov 23, 2020
    risk 0.00cvss epss 0.01

    A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3.

  • CVE-2018-20804Nov 23, 2020
    risk 0.00cvss epss 0.01

    A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and MongoDB Server v3.6 versions prior to 3.6.13.

  • CVE-2020-7926Nov 23, 2020
    risk 0.00cvss epss 0.01

    A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects MongoDB Server v4.4 versions prior to 4.4.1. Versions before 4.4 are not affected.

  • CVE-2020-7925Nov 23, 2020
    risk 0.00cvss epss 0.02

    Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc12; MongoDB…

  • CVE-2020-7923Aug 21, 2020
    risk 0.00cvss epss 0.01

    A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2…

  • CVE-2019-2388May 13, 2020
    risk 0.00cvss epss 0.01

    In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1…

  • CVE-2020-7921May 6, 2020
    risk 0.00cvss epss 0.01

    Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2…

  • CVE-2020-7922Apr 9, 2020
    risk 0.00cvss epss 0.01

    X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their…

  • CVE-2019-2391Mar 31, 2020
    risk 0.00cvss epss 0.01

    Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.

  • CVE-2019-2390Aug 30, 2019
    risk 0.00cvss epss 0.01

    An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions…

  • CVE-2019-2386Aug 6, 2019
    risk 0.00cvss epss 0.01

    After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions…

  • CVE-2015-7882Jul 19, 2019
    risk 0.00cvss epss 0.02

    Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access.

  • CVE-2018-16790HigSep 10, 2018
    risk 0.00cvss 8.1epss 0.02

    _bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.

  • CVE-2015-1609Mar 30, 2015
    risk 0.00cvss epss 0.03

    MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request.

  • CVE-2014-3971Dec 25, 2014
    risk 0.00cvss epss 0.01

    The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

  • CVE-2012-6619Mar 6, 2014
    risk 0.00cvss epss 0.04

    The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read.

  • CVE-2013-2132Aug 15, 2013
    risk 0.00cvss epss 0.03

    bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an "invalid DBRef."

  • CVE-2013-4650Jul 4, 2013
    risk 0.00cvss epss 0.02

    MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a username of __system in an arbitrary database.

Page 3 of 3