CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-3085 – MongoDB Server running on Linux may allow unexpected connections where intermediate certificates are revoked
https://notcve.org/view.php?id=CVE-2025-3085
01 Apr 2025 — A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-cluster authentication. This issue affects MongoDB Server v5.0 versions prior to 5.0.31, MongoDB Server v6.0 versions prior to 6.0.20, MongoDB Server v7.0 version... • https://jira.mongodb.org/browse/SERVER-95445 • CWE-299: Improper Check for Certificate Revocation •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-3084 – MongoDB Server may crash due to improper validation of explain command
https://notcve.org/view.php?id=CVE-2025-3084
01 Apr 2025 — When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4 • https://jira.mongodb.org/browse/SERVER-103153 • CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3083 – Malformed MongoDB wire protocol messages may cause mongos to crash
https://notcve.org/view.php?id=CVE-2025-3083
01 Apr 2025 — Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0 versions prior to 7.0.16 Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior t... • https://jira.mongodb.org/browse/SERVER-103152 • CWE-248: Uncaught Exception •
CVSS: 3.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-3082 – User may override a view's collation and gain unauthorized access to underlying data
https://notcve.org/view.php?id=CVE-2025-3082
01 Apr 2025 — A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3 versions prior to 7.3.4. • https://jira.mongodb.org/browse/SERVER-103151 • CWE-284: Improper Access Control •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-10921 – Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server
https://notcve.org/view.php?id=CVE-2024-10921
14 Nov 2024 — An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2. • https://jira.mongodb.org/browse/SERVER-96419 • CWE-158: Improper Neutralization of Null Byte or NUL Character •
CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8207 – MongoDB Server binaries may load potentially insecure shared libraries from specific relative paths
https://notcve.org/view.php?id=CVE-2024-8207
27 Aug 2024 — In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions... • https://jira.mongodb.org/browse/SERVER-69507 • CWE-114: Process Control •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2024-7553 – Accessing Untrusted Directory May Allow Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-7553
07 Aug 2024 — Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and ... • https://jira.mongodb.org/browse/CDRIVER-5650 • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-3374 – MongoDB Server (mongod) may crash when generating ftdc
https://notcve.org/view.php?id=CVE-2024-3374
14 May 2024 — An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5. Un usuario no autenticado puede desencadenar una afirmación fatal en el servidor mientras genera métricas de diagnóstico ftdc debido a que intenta crear un objeto BSON que excede ciertos... • https://jira.mongodb.org/browse/SERVER-75601 • CWE-617: Reachable Assertion •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-3372 – MongoDB Server may have unexpected application behaviour due to invalid BSON
https://notcve.org/view.php?id=CVE-2024-3372
14 May 2024 — Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25. Una validación inadecuada de cierta entrada de metadatos puede provocar que el servidor no serialice correctam... • https://jira.mongodb.org/browse/SERVER-85263 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1351 – MongoDB Server may allow successful untrusted connection
https://notcve.org/view.php?id=CVE-2024-1351
07 Mar 2024 — Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including... • https://jira.mongodb.org/browse/SERVER-72839 • CWE-295: Improper Certificate Validation •