CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20327 – MongoDB Node.js client side field level encryption library may not be validating KMS certificate
https://notcve.org/view.php?id=CVE-2021-20327
25 Feb 2021 — A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service rendering client-side field level encryption (CSFLE) ineffective. This issue was discovered during internal testing and affects mongodb-client-encryption module version 1.2.0, which was available from ... • https://jira.mongodb.org/browse/NODE-3125 • CWE-295: Improper Certificate Validation •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20335 – SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager
https://notcve.org/view.php?id=CVE-2021-20335
11 Feb 2021 — For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, cust... • https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-20925 – Denial of service via malformed network packet
https://notcve.org/view.php?id=CVE-2019-20925
24 Nov 2020 — An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24. Un cliente no autenticado puede desencadenar una denegación de servicio al emitir mensajes de protocolo de cable especialmente di... • https://jira.mongodb.org/browse/SERVER-43751 • CWE-697: Incorrect Comparison CWE-839: Numeric Range Comparison Without Minimum Check •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-7927 – Potential privilege escalation in Ops Manager API
https://notcve.org/view.php?id=CVE-2020-7927
23 Nov 2020 — Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2. Las llamadas a la API especialmente diseñadas pueden permitir a un usuario autenticado que tiene el privilegio Organization Owner obtener una clave d... • https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.4.3 • CWE-648: Incorrect Use of Privileged APIs •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2018-20803 – Infinite loop in aggregation expression
https://notcve.org/view.php?id=CVE-2018-20803
23 Nov 2020 — A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5; MongoDB Server v3.6 versions prior to 3.6.10 and MongoDB Server v3.4 versions prior to 3.4.19. Un usuario autorizado para realizar consultas en la base de datos puede desencadenar una denegación de servicio al emitir consultas especialmente diseñadas, que se re... • https://jira.mongodb.org/browse/SERVER-38070 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-7928 – Improper neutralization of null byte leads to read overrun
https://notcve.org/view.php?id=CVE-2020-7928
23 Nov 2020 — A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4.1; MongoDB Server v4.2 versions prior to 4.2.9; MongoDB Server v4.0 versions prior to 4.0.20 and MongoDB Server v3.6 versions prior to 3.6.20. Un usuario autorizado para realizar consultas de la base de datos puede desencadenar un desbordamiento de lectura y acceder a la memoria arbitraria mediante la emisión d... • https://jira.mongodb.org/browse/SERVER-49404 • CWE-158: Improper Neutralization of Null Byte or NUL Character •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-2393 – Crash while joining collections with $lookup
https://notcve.org/view.php?id=CVE-2019-2393
23 Nov 2020 — A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13 and MongoDB Server v3.6 versions prior to 3.6.15. Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegación de servicio al emitir consultas especialmente diseñadas, que usan $lookup y colaciones. Este prob... • https://jira.mongodb.org/browse/SERVER-43350 • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-20923 – Crash while handling internal Javascript exception types
https://notcve.org/view.php?id=CVE-2019-20923
23 Nov 2020 — A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects MongoDB Server v4.0 versions prior to 4.0.7. Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegación de servicio al emitir consultas especialmente diseñadas, que arrojan excepciones de Javascript no controladas ... • https://jira.mongodb.org/browse/SERVER-39481 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-20924 – Invariant in IndexBoundsBuilder
https://notcve.org/view.php?id=CVE-2019-20924
23 Nov 2020 — A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Server v4.2 versions prior to 4.2.2. Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegación de servicio al emitir consultas especialmente diseñadas que desencadenan una invariante en la función IndexBoundsBuilder. Este problema afecta a: MongoDB Server de MongoDB I... • https://jira.mongodb.org/browse/SERVER-44377 • CWE-394: Unexpected Status Code or Return Value CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-2392 – $mod can result in undefined behavior
https://notcve.org/view.php?id=CVE-2019-2392
23 Nov 2020 — A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20. Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegación de servicio al emitir consultas especialmente diseñadas, que usan el... • https://jira.mongodb.org/browse/SERVER-43699 • CWE-190: Integer Overflow or Wraparound •