CVE-2021-20327 – MongoDB Node.js client side field level encryption library may not be validating KMS certificate
https://notcve.org/view.php?id=CVE-2021-20327
A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service rendering client-side field level encryption (CSFLE) ineffective. This issue was discovered during internal testing and affects mongodb-client-encryption module version 1.2.0, which was available from 2021-Jan-29 and deprecated in the NPM Registry on 2021-Feb-04. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services from applications residing inside the AWS, GCP, and Azure nework fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption. • https://jira.mongodb.org/browse/NODE-3125 • CWE-295: Improper Certificate Validation •
CVE-2021-20335 – SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager
https://notcve.org/view.php?id=CVE-2021-20335
For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue. Para MongoDB Ops Manager anteriores o iguales a la versión 4.2.24 con varios servidores de aplicaciones OM, que tienen SSL activado para sus procesos MongoDB, la actualización a MongoDB Ops Manager anteriores o iguales a la versión 4.4.12 desencadena un error en el que Automation piensa que SSL está desactivado, y puede desactivar SSL temporalmente para los miembros del clúster. Este problema es temporal y finalmente se corrige por sí mismo después de que las instancias de MongoDB Ops Manager hayan terminado de actualizarse a MongoDB Ops Manager versión 4.4. • https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23 • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2019-20925 – Denial of service via malformed network packet
https://notcve.org/view.php?id=CVE-2019-20925
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24. Un cliente no autenticado puede desencadenar una denegación de servicio al emitir mensajes de protocolo de cable especialmente diseñados, lo que causa a un descompresor de mensajes asignar memoria de manera incorrecta. Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.2 anteriores a 4.2.1; versiones v4.0 anteriores a 4.0.13; versiones v3.6 anteriores a 3.6.15; versiones v3.4 anteriores a 3.4.24 • https://jira.mongodb.org/browse/SERVER-43751 • CWE-697: Incorrect Comparison CWE-839: Numeric Range Comparison Without Minimum Check •
CVE-2020-7927 – Potential privilege escalation in Ops Manager API
https://notcve.org/view.php?id=CVE-2020-7927
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 and MongoDB Ops Manager v4.4 versions prior to and including 4.4.2. Las llamadas a la API especialmente diseñadas pueden permitir a un usuario autenticado que tiene el privilegio Organization Owner obtener una clave de API con privilegio Global Role. Este problema afecta a MongoDB Ops Manager v4.2 versiones 4.2.0-4.2.17, v4.3 versiones 4.3.0-4.3.9 y v4.4 versiones 4.4.0-4.4.2 • https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.4.3 • CWE-648: Incorrect Use of Privileged APIs •
CVE-2018-20803 – Infinite loop in aggregation expression
https://notcve.org/view.php?id=CVE-2018-20803
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5; MongoDB Server v3.6 versions prior to 3.6.10 and MongoDB Server v3.4 versions prior to 3.4.19. Un usuario autorizado para realizar consultas en la base de datos puede desencadenar una denegación de servicio al emitir consultas especialmente diseñadas, que se repiten indefinidamente en el procesamiento matemático mientras retienen bloqueos. Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.0 anteriores a 4.0.5; versiones v3.6 anteriores a 3.6.10; versiones v3.4 anteriores a 3.4.19 • https://jira.mongodb.org/browse/SERVER-38070 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •