CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-2391 – JS-bson may incorrectly serialise some requests
https://notcve.org/view.php?id=CVE-2019-2391
31 Mar 2020 — Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to. El análisis incorrecto de determinada entrada JSON puede resultar en que js-bson no serialice correctamente BSON. Esto puede causar un comportamiento inesperado de la aplicación, incluyendo una divulgación de los datos. • https://github.com/mongodb/js-bson/releases/tag/v1.1.4 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7610
https://notcve.org/view.php?id=CVE-2020-7610
30 Mar 2020 — All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type. Todas las versiones de bson anteriores a 1.1.4, son vulnerables a la Deserialización de Datos No Confiables. El paquete ignorará un valor desconocido para un _bsotype de objeto, conllevando a casos donde un objeto es serializado como un documento en lugar del t... • https://snyk.io/vuln/SNYK-JS-BSON-561052 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 3%CPEs: 3EXPL: 2CVE-2015-4411
https://notcve.org/view.php?id=CVE-2015-4411
20 Feb 2020 — The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remote attackers to cause a denial of service (worker resource consumption) via a crafted string. NOTE: This issue is due to an incomplete fix to CVE-2015-4410. El método Moped::BSON::ObjecId.legal? en mongodb/bson-ruby, versiones anteriores a 3.0.4, como es usado en rubygem-moped, permite a atacantes remotos causar una denegación de servicio (consumo de recursos de worker) por medio de una cadena diseña... • http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161964.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-2389 – Process termination via PID file manipulation
https://notcve.org/view.php?id=CVE-2019-2389
30 Aug 2019 — Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22. El alcance incorrecto de las operaciones de eliminación en los scripts de inicio SysV empaquetados del servidor MongoDB permite... • https://jira.mongodb.org/browse/SERVER-40563 • CWE-20: Improper Input Validation CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 0CVE-2019-2390 – Code execution on Windows via OpenSSL engine injection
https://notcve.org/view.php?id=CVE-2019-2390
30 Aug 2019 — An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22. Un usuario o programa sin privilegios en Microsoft Windows que puede crear archivos de configuración de OpenSSL en una ubicación fija ... • https://jira.mongodb.org/browse/SERVER-42233 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 1CVE-2019-2386 – Authorization session conflation
https://notcve.org/view.php?id=CVE-2019-2386
06 Aug 2019 — After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Ref... • https://jira.mongodb.org/browse/SERVER-38984 • CWE-285: Improper Authorization CWE-613: Insufficient Session Expiration •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2015-7882 – Authentication bypass when using LDAP authentication in MongoDB Enterprise Server
https://notcve.org/view.php?id=CVE-2015-7882
19 Jul 2019 — Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access. El manejo inapropiado de la autenticación LDAP en MongoDB Server versiones 3.0.0 hasta 3.0.6, permite a un cliente no autenticado conseguir acceso no autorizado. • https://jira.mongodb.org/browse/SERVER-20691 • CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16790
https://notcve.org/view.php?id=CVE-2018-16790
10 Sep 2018 — _bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer. _bson_iter_next_internal en bson-iter.c en libbson 1.12.0, tal y como se emplea en mongo-c-driver, de MongoDB, y otros productos, tiene una sobrelectura de búfer basada en memoria dinámica (heap) mediante un búfer bson manipulado. • https://bugzilla.redhat.com/show_bug.cgi?id=1627923#c3 • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2018-13863
https://notcve.org/view.php?id=CVE-2018-13863
10 Jul 2018 — The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string. El módulo bson JavaScript de MongoDB (tambiñen conocido como js-bson) desde la versión 0.5.0 hasta las versiones 1.0.x anteriores a la 1.0.5 es vulnerable a una denegación de servicio (DoS) por expresiones regulares e... • https://github.com/ossf-cve-benchmark/CVE-2018-13863 •
CVSS: 7.0EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2665
https://notcve.org/view.php?id=CVE-2017-2665
06 Jul 2018 — The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. Any local user who has access to system running skyring service will be able to get password in plain text. El comando skyring-setup crea contraseñas aleatorias para la base de datos mongodb de skyring, pero escribe contraseñas en texto plano en el archivo /etc/skyring/skyring.conf, propiedad de root, pero leído p... • http://www.securityfocus.com/bid/97612 • CWE-522: Insufficiently Protected Credentials •