CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8207 – MongoDB Server binaries may load potentially insecure shared libraries from specific relative paths
https://notcve.org/view.php?id=CVE-2024-8207
In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3. Required Configuration: Only environments with Linux as the underlying operating system is affected by this issue • https://jira.mongodb.org/browse/SERVER-69507 • CWE-114: Process Control •
CVSS: 7.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-7553 – Accessing Untrusted Directory May Allow Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-7553
Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1. Required Configuration: Only environments with Windows as the underlying operating system is affected by this issue • https://jira.mongodb.org/browse/CDRIVER-5650 https://jira.mongodb.org/browse/PHPC-2369 https://jira.mongodb.org/browse/SERVER-93211 • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-3374 – MongoDB Server (mongod) may crash when generating ftdc
https://notcve.org/view.php?id=CVE-2024-3374
An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5. Un usuario no autenticado puede desencadenar una afirmación fatal en el servidor mientras genera métricas de diagnóstico ftdc debido a que intenta crear un objeto BSON que excede ciertos tamaños de memoria. Este problema afecta a las versiones de MongoDB Server v5.0 anteriores a la 5.0.16 incluida y a las versiones de MongoDB Server v6.0 anteriores a la 6.0.5 incluida. • https://jira.mongodb.org/browse/SERVER-75601 • CWE-617: Reachable Assertion •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-3372 – MongoDB Server may have unexpected application behaviour due to invalid BSON
https://notcve.org/view.php?id=CVE-2024-3372
Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25. Una validación inadecuada de cierta entrada de metadatos puede provocar que el servidor no serialice correctamente BSON. Esto se puede realizar antes de la autenticación y puede provocar un comportamiento inesperado de la aplicación, incluida la falta de disponibilidad de las respuestas de serverStatus. • https://jira.mongodb.org/browse/SERVER-85263 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1351 – MongoDB Server may allow successful untrusted connection
https://notcve.org/view.php?id=CVE-2024-1351
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28. Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured. Bajo ciertas configuraciones de --tlsCAFile y tls.CAFile, el servidor MongoDB puede omitir la validación de certificados de pares, lo que puede resultar en conexiones que no son de confianza para tener éxito. Esto puede reducir efectivamente las garantías de seguridad proporcionadas por TLS y abrir conexiones que deberían haberse cerrado debido a una validación fallida del certificado. • https://jira.mongodb.org/browse/SERVER-72839 https://security.netapp.com/advisory/ntap-20240524-0010 https://www.mongodb.com/docs/manual/release-notes/4.4/#4.4.29---february-28--2024 https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.6---feb-28--2024 https://www.mongodb.com/docs/v5.0/release-notes/5.0/#5.0.25---february-28--2024 https://www.mongodb.com/docs/v6.0/release-notes/6.0/#6.0.14---feb-28--2024 • CWE-295: Improper Certificate Validation •