CVE-2020-7924 – Specific command line parameter might result in accepting invalid certificate
https://notcve.org/view.php?id=CVE-2020-7924
Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0. • https://jira.mongodb.org/browse/TOOLS-2587 • CWE-295: Improper Certificate Validation •
CVE-2021-20334 – Local privilege escalation in MongoDB Compass for Windows
https://notcve.org/view.php?id=CVE-2021-20334
A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x versions prior to 1.25.0 on Windows. Un tercero malicioso con acceso local a la máquina de Windows donde MongoDB Compass está instalado puede ejecutar software arbitrario con los privilegios del usuario que está ejecutando MongoDB Compass. Este problema afecta a: MongoDB Inc. • https://jira.mongodb.org/browse/COMPASS-4510 • CWE-269: Improper Privilege Management •
CVE-2018-25004 – Invariant failure when explaining a find with a UUID
https://notcve.org/view.php?id=CVE-2018-25004
A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11. Un usuario autorizado para llevar a cabo un tipo específico de consulta puede desencadenar una denegación de servicio al emitir un comando de explicación genérico en una consulta de búsqueda. Este problema afecta a: MongoDB Inc. MongoDB Server versiones v4.0 anteriores a 4.0.6; MongoDB Server versiones v3.6 anteriores a 3.6.11 • https://jira.mongodb.org/browse/SERVER-38275 • CWE-20: Improper Input Validation •
CVE-2020-7929 – Specially crafted regex query can cause DoS
https://notcve.org/view.php?id=CVE-2020-7929
A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20. Un usuario autorizado para llevar a cabo consultas a la base de datos puede desencadenar una denegación de servicio cuando se emite una consulta especialmente diseñada que contenga un tipo de expresión regular. Este problema afecta a: MongoDB Inc. MongoDB Server versiones v3.6 anteriores a 3.6.21 y MongoDB Server versiones v4.0 anteriores a 4.0.20 • https://jira.mongodb.org/browse/SERVER-51083 • CWE-185: Incorrect Regular Expression •
CVE-2021-20328 – MongoDB Java driver client-side field level encryption not verifying KMS host name
https://notcve.org/view.php?id=CVE-2021-20328
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. • https://jira.mongodb.org/browse/JAVA-4017 https://access.redhat.com/security/cve/CVE-2021-20328 https://bugzilla.redhat.com/show_bug.cgi?id=1934236 • CWE-295: Improper Certificate Validation •