CVSS: 7.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-7553 – Accessing Untrusted Directory May Allow Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-7553
Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1. Required Configuration: Only environments with Windows as the underlying operating system is affected by this issue • https://jira.mongodb.org/browse/CDRIVER-5650 https://jira.mongodb.org/browse/PHPC-2369 https://jira.mongodb.org/browse/SERVER-93211 • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6382 – Adversarial unsanitized input may cause MongoDB Rust Driver to issue unintended commands.
https://notcve.org/view.php?id=CVE-2024-6382
Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2 El manejo incorrecto de ciertas entradas de cadenas puede provocar que el controlador MongoDB Rust cree comandos de servidor no deseados. Esto puede provocar un comportamiento inesperado de la aplicación, incluida la modificación de datos. Este problema afecta a las versiones MongoDB Rust Driver 2.0 anteriores a la 2.8.2 • https://jira.mongodb.org/browse/RUST-1881 • CWE-228: Improper Handling of Syntactically Invalid Structure •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-6375 – Missing authorization check may lead to shard key refinement
https://notcve.org/view.php?id=CVE-2024-6375
A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3. A un comando para refinar una clave de fragmento de colección le falta una verificación de autorización. Esto puede hacer que el comando se ejecute directamente en un fragmento, lo que provoca una degradación del rendimiento de la consulta o revela límites de fragmentos a través de canales laterales de temporización. • https://jira.mongodb.org/browse/SERVER-79327 • CWE-285: Improper Authorization CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-3374 – MongoDB Server (mongod) may crash when generating ftdc
https://notcve.org/view.php?id=CVE-2024-3374
An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5. Un usuario no autenticado puede desencadenar una afirmación fatal en el servidor mientras genera métricas de diagnóstico ftdc debido a que intenta crear un objeto BSON que excede ciertos tamaños de memoria. Este problema afecta a las versiones de MongoDB Server v5.0 anteriores a la 5.0.16 incluida y a las versiones de MongoDB Server v6.0 anteriores a la 6.0.5 incluida. • https://jira.mongodb.org/browse/SERVER-75601 • CWE-617: Reachable Assertion •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-3372 – MongoDB Server may have unexpected application behaviour due to invalid BSON
https://notcve.org/view.php?id=CVE-2024-3372
Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25. Una validación inadecuada de cierta entrada de metadatos puede provocar que el servidor no serialice correctamente BSON. Esto se puede realizar antes de la autenticación y puede provocar un comportamiento inesperado de la aplicación, incluida la falta de disponibilidad de las respuestas de serverStatus. • https://jira.mongodb.org/browse/SERVER-85263 • CWE-20: Improper Input Validation •