CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2016-3104
https://notcve.org/view.php?id=CVE-2016-3104
mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database. Mongod en MongoDB 2.6, cuando se utilizan usuarios de estilo 2.4 y 2.4 permiten a los atacantes remotos provocar una denegación de servicio (consumo de memoria y terminación del proceso) aprovechando la representación de la base de datos en memoria al autenticarse en una base de datos inexistente. • http://www.securityfocus.com/bid/94929 https://bugzilla.redhat.com/show_bug.cgi?id=1324496 https://jira.mongodb.org/browse/SERVER-24378 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-6494
https://notcve.org/view.php?id=CVE-2016-6494
The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files. El cliente en MongoDB utiliza permisos accesibles a todos en archivos históricos .dbshell, lo que podría permitir a usuarios locales obtener información sensible leyendo estos archivos. • http://www.openwall.com/lists/oss-security/2016/07/29/4 http://www.openwall.com/lists/oss-security/2016/07/29/8 http://www.securityfocus.com/bid/92204 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908 https://bugzilla.redhat.com/show_bug.cgi?id=1362553 https://github.com/mongodb/mongo/commit/035cf2afc04988b22cb67f4ebfd77e9b344cb6e0 https://jira.mongodb.org/browse/SERVER-25335 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5MCE2ZLFBNOK3TTWS • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 2%CPEs: 10EXPL: 0CVE-2015-1609
https://notcve.org/view.php?id=CVE-2015-1609
MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request. MongoDB anterior a 2.4.13 y 2.6.x anterior a 2.6.8 permite a atacantes remotos causar una denegación de servicio a través de una cadena UTF-8 manipulada en una solicitud BSON. • http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152493.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153690.html http://www.securitytracker.com/id/1034466 http://www.splunk.com/view/SP-CAAAPC3 https://jira.mongodb.org/browse/SERVER-17264 https://security.gentoo.org/glsa/201611-13 • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2014-3971
https://notcve.org/view.php?id=CVE-2014-3971
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate. La función CmdAuthenticate::_authenticateX509 en db/commands/authentication_commands.cpp en mongod en MongoDB 2.6.x anterior a 2.6.2 permite a atacantes remotos causar una denegación de servicio (caída del demonio) intentando autenticarse con un certificado cliente X.509 inválido. • https://github.com/mongodb/mongo/commit/c151e0660b9736fe66b224f1129a16871165251b https://jira.mongodb.org/browse/SERVER-13753 • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 2%CPEs: 23EXPL: 2CVE-2012-6619 – mongodb: memory over-read via incorrect BSON object length
https://notcve.org/view.php?id=CVE-2012-6619
The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read. La configuración por defecto para MongoDB anterior a 2.3.2 no valida objetos, lo que permite a usuarios remotos autenticados causar una denegación de servicio (caída) o leer la memoria del sistema a través de un objeto BSON manipulado en el nombre de columna en un comando "insert", lo que provoca una sobrelectura de buffer. • http://blog.ptsecurity.com/2012/11/attacking-mongodb.html http://rhn.redhat.com/errata/RHSA-2014-0230.html http://rhn.redhat.com/errata/RHSA-2014-0440.html http://www.openwall.com/lists/oss-security/2014/01/07/13 http://www.openwall.com/lists/oss-security/2014/01/07/2 http://www.openwall.com/lists/oss-security/2014/01/08/9 https://bugzilla.redhat.com/show_bug.cgi?id=1049748 https://jira.mongodb.org/browse/SERVER-7769 https://access.redhat.com/security/ • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •