CVE-2021-20333 – Server log entry spoofing via newline injection
https://notcve.org/view.php?id=CVE-2021-20333
Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10. Mediante el envío de comandos especialmente diseñados a MongoDB Server puede resultar en la generación de entradas de registro artificiales o para que las entradas de registro se divididan. Este problema afecta a versiones de MongoDB Server v3.6 anteriores a 3.6.20; versiones de MongoDB Server v4.0 anteriores a 4.0.21; versiones de MongoDB Server v4.2 anteriores a 4.2.10 • https://jira.mongodb.org/browse/SERVER-50605 • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •
CVE-2021-20329 – Specific cstrings input may not be properly validated in the Go Driver
https://notcve.org/view.php?id=CVE-2021-20329
Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers prior to and including 1.5.0. Es posible que la entrada de cadenas de caracteres específicas no se validen apropiadamente en el controlador MongoDB Go al marshallar objetos Go en BSON. Un usuario malicioso podría usar un objeto Go con una cadena específica para inyectar potencialmente campos adicionales en los documentos ordenados. • https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1 https://access.redhat.com/security/cve/CVE-2021-20329 https://bugzilla.redhat.com/show_bug.cgi?id=1971033 • CWE-20: Improper Input Validation CWE-1287: Improper Validation of Specified Type of Input •
CVE-2021-20331 – MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application
https://notcve.org/view.php?id=CVE-2021-20331
Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver v2.12 versions prior to and including 2.12.1. • https://jira.mongodb.org/browse/CSHARP-3521 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-20326 – Specially crafted query may result in a denial of service of mongod
https://notcve.org/view.php?id=CVE-2021-20326
A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4. Un usuario autorizado para llevar a cabo un tipo específico de consulta de búsqueda puede desencadenar una denegación de servicio. Este problema afecta a: MongoDB Inc. MongoDB Server versiones v4.4 anteriores a la 4.4.4. • https://jira.mongodb.org/browse/SERVER-53929 • CWE-20: Improper Input Validation CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2020-7924 – Specific command line parameter might result in accepting invalid certificate
https://notcve.org/view.php?id=CVE-2020-7924
Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0. • https://jira.mongodb.org/browse/TOOLS-2587 • CWE-295: Improper Certificate Validation •