CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6376 – ejson shell parser in MongoDB Compass maybe bypassed
https://notcve.org/view.php?id=CVE-2024-6376
01 Jul 2024 — MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2 MongoDB Compass puede ser susceptible a la inyección de código debido a una configuración insuficiente de protección de la zona de pruebas con el uso del analizador de shell ejson en el manejo de conexiones de Compass. Este problema afecta a las versiones de MongoDB Compas... • https://jira.mongodb.org/browse/COMPASS-7496 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-6375 – Missing authorization check may lead to shard key refinement
https://notcve.org/view.php?id=CVE-2024-6375
01 Jul 2024 — A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3. A un comando para refinar una clave de fragmento de colección le falta una verificación de autorización. E... • https://jira.mongodb.org/browse/SERVER-79327 • CWE-285: Improper Authorization CWE-862: Missing Authorization •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5629 – Out-of-bounds read in bson module of PyMongo
https://notcve.org/view.php?id=CVE-2024-5629
05 Jun 2024 — An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory. Una lectura fuera de los límites en el módulo 'bson' de PyMongo 4.6.2 o anterior permite la deserialización de BSON mal formado proporcionado por un servidor para generar una excepción que puede contener memoria de aplicación arbitraria. It was discovered that PyMongo incorrectly handled certain BSON. An att... • https://jira.mongodb.org/browse/PYTHON-4305 • CWE-125: Out-of-bounds Read •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-3374 – MongoDB Server (mongod) may crash when generating ftdc
https://notcve.org/view.php?id=CVE-2024-3374
14 May 2024 — An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5. Un usuario no autenticado puede desencadenar una afirmación fatal en el servidor mientras genera métricas de diagnóstico ftdc debido a que intenta crear un objeto BSON que excede ciertos... • https://jira.mongodb.org/browse/SERVER-75601 • CWE-617: Reachable Assertion •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-3372 – MongoDB Server may have unexpected application behaviour due to invalid BSON
https://notcve.org/view.php?id=CVE-2024-3372
14 May 2024 — Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25. Una validación inadecuada de cierta entrada de metadatos puede provocar que el servidor no serialice correctam... • https://jira.mongodb.org/browse/SERVER-85263 • CWE-20: Improper Input Validation •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3371 – Insufficient validation of external input in Compass may enable MITM attacks
https://notcve.org/view.php?id=CVE-2024-3371
24 Apr 2024 — MongoDB Compass may accept and use insufficiently validated input from an untrusted external source. This may cause unintended application behavior, including data disclosure and enabling attackers to impersonate users. This issue affects MongoDB Compass versions 1.35.0 to 1.42.0. MongoDB Compass puede aceptar y utilizar entradas no suficientemente validadas de una fuente externa que no sea de confianza. Esto puede provocar un comportamiento no deseado de la aplicación, incluida la divulgación de datos y pe... • https://jira.mongodb.org/browse/COMPASS-7260 • CWE-360: Trust of System Event Data •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1351 – MongoDB Server may allow successful untrusted connection
https://notcve.org/view.php?id=CVE-2024-1351
07 Mar 2024 — Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including... • https://jira.mongodb.org/browse/SERVER-72839 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0437 – MongoDB client C Driver may infinitely loop when validating certain BSON input data
https://notcve.org/view.php?id=CVE-2023-0437
12 Jan 2024 — When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0. Al llamar a bson_utf8_validate en algunas entradas puede ocurrir un bucle con una condición de salida que no se puede alcanzar, es decir, un bucle infinito. Este problema afecta a All MongoDB C Driver anteriores a la versión 1.25.0. When calling bson_utf8_validate on some inputs a loop with an exit con... • https://jira.mongodb.org/browse/CDRIVER-4747 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0436 – Secret logging may occur in debug mode of Atlas Operator
https://notcve.org/view.php?id=CVE-2023-0436
07 Nov 2023 — The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0. Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version. Required Configuration: DEBUG logging is not enabled by default, and must be configured by the end-us... • https://github.com/mongodb/mongodb-atlas-kubernetes/releases/tag/v1.7.1 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-32050 – Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application
https://notcve.org/view.php?id=CVE-2021-32050
29 Aug 2023 — Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects ... • https://jira.mongodb.org/browse/CDRIVER-3797 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •