CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-2392 – $mod can result in undefined behavior
https://notcve.org/view.php?id=CVE-2019-2392
23 Nov 2020 — A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20. Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegación de servicio al emitir consultas especialmente diseñadas, que usan el... • https://jira.mongodb.org/browse/SERVER-43699 • CWE-190: Integer Overflow or Wraparound •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-20805 – Invariant with $elemMatch
https://notcve.org/view.php?id=CVE-2018-20805
23 Nov 2020 — A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch . This issue affects MongoDB Server v4.0 versions prior to 4.0.5 and MongoDB Server v3.6 versions prior to 3.6.10. Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegación de servicio al emitir consultas especialmente diseñadas, que llevan a cabo un $elemMatch. Este problema afecta a: MongoDB Server de MongoDB Inc versione... • https://jira.mongodb.org/browse/SERVER-38164 • CWE-834: Excessive Iteration •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-20802 – Post-auth queries on compound index may crash mongod
https://notcve.org/view.php?id=CVE-2018-20802
23 Nov 2020 — A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3. Un usuario autorizado que lleva a cabo consultas en la bases de datos puede desencadenar una denegación de servicio al emitir consultas especialmente diseñadas con índices compuestos afectando a QueryPlanner. Este problema afecta a: Mon... • https://jira.mongodb.org/browse/SERVER-36993 • CWE-394: Unexpected Status Code or Return Value •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-20804 – Invariant failure in applyOps
https://notcve.org/view.php?id=CVE-2018-20804
23 Nov 2020 — A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and MongoDB Server v3.6 versions prior to 3.6.13. Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegación de servicio al emitir invocaciones de applyOps especialmente diseñadas. Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.0 anteriores a 4.0.10;&#... • https://jira.mongodb.org/browse/SERVER-35636 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-7923 – Specific GeoQuery can cause DoS against MongoDB Server
https://notcve.org/view.php?id=CVE-2020-7923
21 Aug 2020 — A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19. Un usuario autorizado para llevar a cabo consultas en la base de datos puede causar una denegación de servicio al emitir consultas especialmente diseñadas, que viola... • https://jira.mongodb.org/browse/SERVER-47773 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-7921 – Administrative action may disable enforcement of per-user IP whitelisting
https://notcve.org/view.php?id=CVE-2020-7921
06 May 2020 — Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18. Una serialización inapropiada del estado interno en el subsistema de autor... • https://jira.mongodb.org/browse/SERVER-45472 • CWE-182: Collapse of Data into Unsafe Value CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-2389 – Process termination via PID file manipulation
https://notcve.org/view.php?id=CVE-2019-2389
30 Aug 2019 — Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22. El alcance incorrecto de las operaciones de eliminación en los scripts de inicio SysV empaquetados del servidor MongoDB permite... • https://jira.mongodb.org/browse/SERVER-40563 • CWE-20: Improper Input Validation CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 0CVE-2019-2390 – Code execution on Windows via OpenSSL engine injection
https://notcve.org/view.php?id=CVE-2019-2390
30 Aug 2019 — An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22. Un usuario o programa sin privilegios en Microsoft Windows que puede crear archivos de configuración de OpenSSL en una ubicación fija ... • https://jira.mongodb.org/browse/SERVER-42233 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 1CVE-2019-2386 – Authorization session conflation
https://notcve.org/view.php?id=CVE-2019-2386
06 Aug 2019 — After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Ref... • https://jira.mongodb.org/browse/SERVER-38984 • CWE-285: Improper Authorization CWE-613: Insufficient Session Expiration •