CVSS: 4.4EPSS: 0%CPEs: 3EXPL: 0CVE-2021-20332 – MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application
https://notcve.org/view.php?id=CVE-2021-20332
02 Aug 2021 — Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credentials. Note that such monitoring is not enabled by default. This issue affects MongoDB Rust Driver version 2.0.0-alpha, MongoDB Rust Driver version 2.0.0-alpha1 and MongoDB Rust Driver version 1.0.0 through to and inclu... • https://jira.mongodb.org/browse/RUST-591 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2021-20333 – Server log entry spoofing via newline injection
https://notcve.org/view.php?id=CVE-2021-20333
23 Jul 2021 — Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10. Mediante el envío de comandos especialmente diseñados a MongoDB Server puede resultar en la generación de entradas de registro artificiales o para que las entradas de registro se divididan. Este problema afecta a... • https://jira.mongodb.org/browse/SERVER-50605 • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20329 – Specific cstrings input may not be properly validated in the Go Driver
https://notcve.org/view.php?id=CVE-2021-20329
10 Jun 2021 — Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers prior to and including 1.5.0. Es posible que la entrada de cadenas de caracteres específicas no se validen apropiadamente en el controlador MongoDB Go al marshallar objetos Go en BSON. Un usuario malicioso podría usar un obje... • https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1 • CWE-20: Improper Input Validation CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20331 – MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application
https://notcve.org/view.php?id=CVE-2021-20331
13 May 2021 — Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables ... • https://jira.mongodb.org/browse/CSHARP-3521 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20326 – Specially crafted query may result in a denial of service of mongod
https://notcve.org/view.php?id=CVE-2021-20326
30 Apr 2021 — A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4. Un usuario autorizado para llevar a cabo un tipo específico de consulta de búsqueda puede desencadenar una denegación de servicio. Este problema afecta a: MongoDB Inc. MongoDB Server versiones v4.4 anteriores a la 4.4.4. • https://jira.mongodb.org/browse/SERVER-53929 • CWE-20: Improper Input Validation CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-7924 – Specific command line parameter might result in accepting invalid certificate
https://notcve.org/view.php?id=CVE-2020-7924
12 Apr 2021 — Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0. • https://jira.mongodb.org/browse/TOOLS-2587 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20334 – Local privilege escalation in MongoDB Compass for Windows
https://notcve.org/view.php?id=CVE-2021-20334
06 Apr 2021 — A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x versions prior to 1.25.0 on Windows. Un tercero malicioso con acceso local a la máquina de Windows donde MongoDB Compass está instalado puede ejecutar software arbitrario con los privilegios del usuario que está ejecu... • https://jira.mongodb.org/browse/COMPASS-4510 • CWE-269: Improper Privilege Management •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2018-25004 – Invariant failure when explaining a find with a UUID
https://notcve.org/view.php?id=CVE-2018-25004
01 Mar 2021 — A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11. Un usuario autorizado para llevar a cabo un tipo específico de consulta puede desencadenar una denegación de servicio al emitir un comando de explicación genérico en una consulta de búsqueda. Este problema afecta a: MongoDB Inc. MongoDB Server version... • https://jira.mongodb.org/browse/SERVER-38275 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-7929 – Specially crafted regex query can cause DoS
https://notcve.org/view.php?id=CVE-2020-7929
01 Mar 2021 — A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20. Un usuario autorizado para llevar a cabo consultas a la base de datos puede desencadenar una denegación de servicio cuando se emite una consulta especialmente diseñada que contenga un tipo de expresión regular. Este problema afecta a: MongoDB Inc. MongoDB S... • https://jira.mongodb.org/browse/SERVER-51083 • CWE-185: Incorrect Regular Expression •
CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-20328 – MongoDB Java driver client-side field level encryption not verifying KMS host name
https://notcve.org/view.php?id=CVE-2021-20328
25 Feb 2021 — Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Jav... • https://jira.mongodb.org/browse/JAVA-4017 • CWE-295: Improper Certificate Validation •