CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-32036 – Denial of Service and Data Integrity vulnerability in features command
https://notcve.org/view.php?id=CVE-2021-32036
04 Feb 2022 — An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 ... • https://jira.mongodb.org/browse/SERVER-59294 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32039 – MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text
https://notcve.org/view.php?id=CVE-2021-32039
20 Jan 2022 — Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0 Los usuarios con acceso apropiado a los archivos pueden ser capaces de acceder a las credenciales de usuario sin cifrar guardadas por MongoDB Extension for VS Code en un archivo binario... • https://github.com/mongodb-js/vscode/releases/tag/v0.8.0 • CWE-522: Insufficiently Protected Credentials •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2267
https://notcve.org/view.php?id=CVE-2020-2267
16 Sep 2020 — A missing permission check in Jenkins MongoDB Plugin 1.3 and earlier allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller. Una falta de comprobación de permisos en Jenkins MongoDB Plugin versiones 1.3 y anteriores, permite a atacantes con permiso Overall/Read conseguir acceso a algunos metadatos de cualquier archivo arbitrario en el controlador de Jenkins • http://www.openwall.com/lists/oss-security/2020/09/16/3 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2268
https://notcve.org/view.php?id=CVE-2020-2268
16 Sep 2020 — A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins MongoDB Plugin versiones 1.3 y anteriores, permite a atacantes conseguir acceso a algunos metadatos de cualquier archivo arbitrario en el controlador de Jenkins • http://www.openwall.com/lists/oss-security/2020/09/16/3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 60EXPL: 0CVE-2019-3800 – CF CLI writes the client id and secret to config file
https://notcve.org/view.php?id=CVE-2019-3800
05 Aug 2019 — CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials. La CLI de CF anterior a versión v6.45.0 (versión de lanzamiento bosh 1.16.0), escribe el id y el secreto del cliente hacia su archivo de configuración cuando el usuario se autentica con el flag --... • https://pivotal.io/security/cve-2019-3800 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2017-14227
https://notcve.org/view.php?id=CVE-2017-14227
09 Sep 2017 — In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c. En MongoDB libbson 1.7.0, la función bson_iter_codewscope en bson-iter.c no calcula correctamente un argumento de longitud bson_utf8_validate, lo que permite que atacantes remotos provoquen una denegación de se... • http://www.securityfocus.com/bid/100825 • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-6494
https://notcve.org/view.php?id=CVE-2016-6494
03 Oct 2016 — The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files. El cliente en MongoDB utiliza permisos accesibles a todos en archivos históricos .dbshell, lo que podría permitir a usuarios locales obtener información sensible leyendo estos archivos. • http://www.openwall.com/lists/oss-security/2016/07/29/4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 10EXPL: 0CVE-2015-1609 – Gentoo Linux Security Advisory 201611-13
https://notcve.org/view.php?id=CVE-2015-1609
30 Mar 2015 — MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request. MongoDB anterior a 2.4.13 y 2.6.x anterior a 2.6.8 permite a atacantes remotos causar una denegación de servicio a través de una cadena UTF-8 manipulada en una solicitud BSON. A vulnerability in MongoDB can lead to a Denial of Service condition. Versions less than 2.4.13 are affected. • http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152493.html • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 2%CPEs: 23EXPL: 2CVE-2012-6619 – mongodb: memory over-read via incorrect BSON object length
https://notcve.org/view.php?id=CVE-2012-6619
04 Mar 2014 — The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read. La configuración por defecto para MongoDB anterior a 2.3.2 no valida objetos, lo que permite a usuarios remotos autenticados causar una denegación de servicio (caída) o leer la memoria del sistema a través de un objeto BSON manipulad... • http://blog.ptsecurity.com/2012/11/attacking-mongodb.html • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 2%CPEs: 18EXPL: 1CVE-2013-2132 – pymongo: null pointer when decoding invalid DBRef
https://notcve.org/view.php?id=CVE-2013-2132
11 Jun 2013 — bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an "invalid DBRef." bson/_cbsonmodule.c en el mongo-python-driver (también conocido como pymongo) anterior a v2.5.2, como es usado en MongoDB, permite a atacantes dependientes del contexto causar una denegación de servicio (referencia NULL y caída de la aplicación) a través de ve... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710597 • CWE-476: NULL Pointer Dereference •