CVSS: 2.2EPSS: 0%CPEs: 7EXPL: 0CVE-2024-8013 – CSFLE and Queryable Encryption self-lookup may fail to encrypt values in subpipelines
https://notcve.org/view.php?id=CVE-2024-8013
A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions. • https://jira.mongodb.org/browse/SERVER-96254 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-8305 – MongoDB Server secondaries may crash due to forced index constraints
https://notcve.org/view.php?id=CVE-2024-8305
prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions prior to 7.0.13 and MongoDB Server v7.3 versions prior to 7.3.4 • https://jira.mongodb.org/browse/SERVER-92382 • CWE-1288: Improper Validation of Consistency within Input •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8654 – MongoDB Server may access non-initialized region of memory leading to unexpected behaviour
https://notcve.org/view.php?id=CVE-2024-8654
MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3. MongoDB Server puede acceder a una región de memoria no inicializada, lo que genera un comportamiento inesperado cuando se invocan argumentos cero en la etapa de agregación interna. Este problema afecta a MongoDB Server v6.0 versión 6.0.3. • https://jira.mongodb.org/browse/SERVER-71477 • CWE-908: Use of Uninitialized Resource •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8207 – MongoDB Server binaries may load potentially insecure shared libraries from specific relative paths
https://notcve.org/view.php?id=CVE-2024-8207
In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3. Required Configuration: Only environments with Linux as the underlying operating system is affected by this issue • https://jira.mongodb.org/browse/SERVER-69507 • CWE-114: Process Control •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-6384 – Backup files may be downloaded by underprivileged users in MongoDB Enterprise Server
https://notcve.org/view.php?id=CVE-2024-6384
"Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3 • https://jira.mongodb.org/browse/SERVER-93516 • CWE-285: Improper Authorization •