CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-32040 – Large aggregation pipelines with a specific stage can crash mongod under default configuration
https://notcve.org/view.php?id=CVE-2021-32040
12 Apr 2022 — It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16. Workaround: >= v4.2.16 us... • https://jira.mongodb.org/browse/SERVER-58203 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-32036 – Denial of Service and Data Integrity vulnerability in features command
https://notcve.org/view.php?id=CVE-2021-32036
04 Feb 2022 — An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 ... • https://jira.mongodb.org/browse/SERVER-59294 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-20330 – Specific replication command with malformed oplog entries can crash secondaries
https://notcve.org/view.php?id=CVE-2021-20330
15 Dec 2021 — An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9. Un atacante con permisos CRUD básicos en una colección replicada puede ejecutar el comando applyOps con entradas oplog especialmente malformadas, resultando en u... • https://jira.mongodb.org/browse/SERVER-36263 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-7928 – Improper neutralization of null byte leads to read overrun
https://notcve.org/view.php?id=CVE-2020-7928
23 Nov 2020 — A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4.1; MongoDB Server v4.2 versions prior to 4.2.9; MongoDB Server v4.0 versions prior to 4.0.20 and MongoDB Server v3.6 versions prior to 3.6.20. Un usuario autorizado para realizar consultas de la base de datos puede desencadenar un desbordamiento de lectura y acceder a la memoria arbitraria mediante la emisión d... • https://jira.mongodb.org/browse/SERVER-49404 • CWE-158: Improper Neutralization of Null Byte or NUL Character •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-2392 – $mod can result in undefined behavior
https://notcve.org/view.php?id=CVE-2019-2392
23 Nov 2020 — A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20. Un usuario autorizado que lleva a cabo consultas en la base de datos puede desencadenar una denegación de servicio al emitir consultas especialmente diseñadas, que usan el... • https://jira.mongodb.org/browse/SERVER-43699 • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.5EPSS: 1%CPEs: 12EXPL: 0CVE-2020-7925 – Denial of Service when processing malformed Role names
https://notcve.org/view.php?id=CVE-2020-7925
23 Nov 2020 — Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc12; MongoDB Server v4.2 versions prior to 4.2.9. Una comprobación inapropiada de la entrada del usuario en el analizador de nombres de funciones puede conllevar al uso de memoria no inicializada, permitiendo a un atacante no autenticado usar una ... • https://jira.mongodb.org/browse/SERVER-49142 • CWE-20: Improper Input Validation CWE-475: Undefined Behavior for Input to API •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-7923 – Specific GeoQuery can cause DoS against MongoDB Server
https://notcve.org/view.php?id=CVE-2020-7923
21 Aug 2020 — A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19. Un usuario autorizado para llevar a cabo consultas en la base de datos puede causar una denegación de servicio al emitir consultas especialmente diseñadas, que viola... • https://jira.mongodb.org/browse/SERVER-47773 • CWE-755: Improper Handling of Exceptional Conditions •