cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2024-7553,https://securityvulnerability.io/vulnerability/CVE-2024-7553,Local Privilege Escalation Vulnerability Affects MongoDB Servers,"A vulnerability exists in MongoDB Server software that arises from improper validation of files loaded from local untrusted directories on Windows operating systems. This weakness could allow for local privilege escalation, leading to the execution of arbitrary actions based on the content of untrusted files. Specifically, MongoDB Server versions prior to specified releases as well as the MongoDB C and PHP Drivers are impacted. To mitigate potential risks, users are advised to upgrade to the latest versions of affected products.",MongoDB,Mongodb,7.8,HIGH,0.0004199999966658652,false,,false,false,false,,,false,false,,2024-08-07T10:15:00.000Z,0 CVE-2024-6376,https://securityvulnerability.io/vulnerability/CVE-2024-6376,MongoDB Compass Vulnerable to Code Injection Due to Sandbox Protection Settings,"A critical security vulnerability has been discovered in MongoDB Compass, identified as CVE-2024-6376, potentially exposing systems to code injection attacks. This flaw affects versions of MongoDB Compass prior to 1.42.2 and has been assigned a CVSS score of 9.8, indicating a high severity level. The vulnerability may allow attackers to execute arbitrary code, alter control flow, and gain unauthorized control of system resources. To mitigate the risk, users and administrators are strongly advised to update MongoDB Compass to version 1.42.2 or newer immediately. It is important for organizations to prioritize this update as part of their security maintenance procedures to prevent potential attacks.",MongoDB,Mongodb Compass,9.8,CRITICAL,0.0006000000284984708,false,,true,false,false,,,false,false,,2024-07-01T14:57:31.704Z,0 CVE-2024-3372,https://securityvulnerability.io/vulnerability/CVE-2024-3372,MongoDB Server Vulnerability: Improper Metadata Validation May Cause Server Unavailability,"In MongoDB Server, a vulnerability exists due to improper validation of specific metadata input. This flaw may lead to issues in the server's ability to correctly serialize BSON, potentially enabling attackers to exploit the vulnerability pre-authentication. As a result, this can lead to unexpected behavior in applications, particularly affecting the serverStatus responses. Affected users utilizing versions v7.0 prior to 7.0.6, v6.0 prior to 6.0.14, and v5.0 prior to 5.0.25 should take immediate measures to update their systems to mitigate risk.",MongoDB,Mongodb Server,7.5,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-05-14T13:24:05.097Z,0 CVE-2024-1351,https://securityvulnerability.io/vulnerability/CVE-2024-1351,"TLS Certificate Validation Bypass Vulnerability Affects MongoDB Server Versions Prior to 7.0.5, 6.0.13, 5.0.24, and 4.4.28","A significant vulnerability exists in MongoDB Server where specific configurations of --tlsCAFile and tls.CAFile can result in skipping peer certificate validation. This misconfiguration permits untrusted connections, which poses a substantial risk to overall security by undermining the efficacy of TLS. If the server is initiated with TLS enabled and the appropriate CAFile setting is not configured, it may allow incoming connections that would otherwise be rejected due to failed certificate validation. This flaw affects multiple versions of MongoDB Server across various releases, emphasizing the critical need for correct TLS configurations to maintain secure operations.",MongoDB,Mongodb Server,8.8,HIGH,0.0004400000034365803,false,,false,false,false,,,false,false,,2024-03-07T16:10:19.597Z,0 CVE-2023-0437,https://securityvulnerability.io/vulnerability/CVE-2023-0437,MongoDB client C Driver may infinitely loop when validating certain BSON input data,"An issue has been identified within the MongoDB C Driver where the bson_utf8_validate function may enter an infinite loop when processing certain inputs. This situation arises due to a specific exit condition that cannot be met, leading to prolonged resource usage and potential service disruptions. All versions prior to 1.25.0 of the MongoDB C Driver are impacted, necessitating immediate updates to prevent exploitation of this vulnerability.",MongoDB,Mongodb C Driver,7.5,HIGH,0.0007399999885819852,false,,false,false,false,,,false,false,,2024-01-12T13:33:39.503Z,0 CVE-2023-0436,https://securityvulnerability.io/vulnerability/CVE-2023-0436,"Secret logging may occur in debug mode of Atlas Operator ","The MongoDB Atlas Kubernetes Operator has a vulnerability that allows the possibility of exposing sensitive information, including GCP service account keys and API integration secrets, when DEBUG mode logging is enabled. This issue affects specific versions of the operator and occurs due to improper logging configurations that end-users can set. Notably, DEBUG mode must be deliberately enabled by users, as it is not the default setting. For those operating on the affected versions, it is essential to review the deployment configuration and consider upgrading to the latest supported version to maintain security integrity.",MongoDB,MongoDB Atlas Kubernetes Operator,7.5,HIGH,0.0012700000079348683,false,,false,false,false,,,false,false,,2023-11-07T12:15:00.000Z,0 CVE-2021-32050,https://securityvulnerability.io/vulnerability/CVE-2021-32050,Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application,"Certain MongoDB Drivers may mistakenly expose sensitive authentication data through a command listener that can be configured by applications. When specific authentication commands are executed, this information is published as events. If an application has the command listener feature enabled-a setting that is not activated by default-it may inadvertently log this sensitive information, posing a significant risk of data exposure. Users are encouraged to review product versions and implement protections accordingly.",MongoDB,"Mongodb C Driver,Mongodb C++ Driver,Mongodb PHP Driver,Mongodb Swift Driver,Mongodb Node.js Driver",7.5,HIGH,0.0019099999917671084,false,,false,false,false,,,false,false,,2023-08-29T15:24:30.389Z,0 CVE-2023-1409,https://securityvulnerability.io/vulnerability/CVE-2023-1409,Certificate validation issue in MongoDB Server running on Windows or macOS,"A configuration flaw in the MongoDB Server on Windows and macOS platforms enables the potential risk of bypassing client certificate validation when using TLS with certain settings. This vulnerability may allow unauthorized clients to connect to the server as valid entities, compromising the integrity of secure communications. Affected versions include MongoDB Server v6.3, v5.0 from v5.0.0 to v5.0.14, and all MongoDB Server v4.4 builds.",MongoDB,Mongodb Server,7.5,HIGH,0.0008900000248104334,false,,false,false,false,,,false,false,,2023-08-23T16:15:00.000Z,0 CVE-2023-4009,https://securityvulnerability.io/vulnerability/CVE-2023-4009,Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager,"An authenticated user with project owner or project user admin access in MongoDB Ops Manager versions prior to 5.0.22 and 6.0.17 can exploit a vulnerability to generate an API key with org owner privileges. This allows for unauthorized access and potential manipulation of data, posing a significant security risk. Organizations using affected versions should promptly update to mitigate this concern.",MongoDB,Mongodb Ops Manager,7.2,HIGH,0.0018500000005587935,false,,false,false,false,,,false,false,,2023-08-08T09:15:00.000Z,0 CVE-2021-32040,https://securityvulnerability.io/vulnerability/CVE-2021-32040,Large aggregation pipelines with a specific stage can crash mongod under default configuration,"It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16. Workaround: >= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash.",MongoDB,Mongodb Server,7.5,HIGH,0.004989999812096357,false,,false,false,false,,,false,false,,2022-04-12T00:00:00.000Z,0 CVE-2019-20925,https://securityvulnerability.io/vulnerability/CVE-2019-20925,Denial of service via malformed network packet,"An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24. ",MongoDB,Mongodb Server,7.5,HIGH,0.0008699999889358878,false,,false,false,false,,,false,false,,2020-11-24T00:00:00.000Z,0 CVE-2020-7925,https://securityvulnerability.io/vulnerability/CVE-2020-7925,Denial of Service when processing malformed Role names,Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc12; MongoDB Server v4.2 versions prior to 4.2.9.,MongoDB,Mongodb Server,7.5,HIGH,0.0012799999676644802,false,,false,false,false,,,false,false,,2020-11-23T15:15:00.000Z,0 CVE-2020-7610,https://securityvulnerability.io/vulnerability/CVE-2020-7610,Deserialization Vulnerability in BSON Package Affecting Multiple Applications,"The BSON package is susceptible to a deserialization vulnerability that arises when an unknown value is encountered for an object's _bsotype. This flaw may result in objects being serialized as documents instead of the intended BSON types, potentially leading to unintended behaviors and security issues in applications relying on the BSON library.",Mongodb,Bson,9.8,CRITICAL,0.0029100000392645597,false,,false,false,false,,,false,false,,2020-03-30T18:28:17.000Z,0 CVE-2015-4411,https://securityvulnerability.io/vulnerability/CVE-2015-4411,Denial of Service Vulnerability in MongoDB BSON Ruby by Moped,"The Moped::BSON::ObjecId.legal? method in the mongoid/moped library, prior to version 3.0.4, is susceptible to crafted input that could lead to resource exhaustion. This vulnerability allows remote attackers to exploit the method, resulting in a denial of service by consuming worker resources. This was reported as a result of an incomplete fix related to a previous vulnerability (CVE-2015-4410).",Mongodb,Bson,7.5,HIGH,0.02256999909877777,false,,false,false,false,,,false,false,,2020-02-20T16:24:22.000Z,0 CVE-2013-0165,https://securityvulnerability.io/vulnerability/CVE-2013-0165,Improper File Creation Vulnerability in OpenShift MongoDB Cartridge,"The OpenShift MongoDB cartridge has a vulnerability that arises from improper file handling within the dump.sh script. This issue allows for the creation of files in the /tmp directory without appropriate checks, potentially exposing sensitive data and leading to unauthorized access. Users of affected versions should take immediate steps to assess their deployments and apply necessary security measures to mitigate potential exploitation.",Openshift Mongodb Cartridge,Openshift Mongodb Cartridge,7.3,HIGH,0.0008699999889358878,false,,false,false,false,,,false,false,,2019-11-01T18:12:44.000Z,0 CVE-2019-2390,https://securityvulnerability.io/vulnerability/CVE-2019-2390,Code execution on Windows via OpenSSL engine injection," An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22. ",MongoDB,Mongodb Server,8.2,HIGH,0.0010499999625608325,false,,false,false,false,,,false,false,,2019-08-30T14:41:19.000Z,0 CVE-2019-2386,https://securityvulnerability.io/vulnerability/CVE-2019-2386,Authorization session conflation,"After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts. ",MongoDB,Mongodb Server,7.1,HIGH,0.0017900000093504786,false,,false,false,false,,,false,false,,2019-08-06T18:32:07.000Z,0 CVE-2015-7882,https://securityvulnerability.io/vulnerability/CVE-2015-7882,Authentication bypass when using LDAP authentication in MongoDB Enterprise Server,Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access.,Mongodb,Mongodb,8.1,HIGH,0.003640000009909272,false,,false,false,false,,,false,false,,2019-07-19T15:44:44.000Z,0 CVE-2018-16790,https://securityvulnerability.io/vulnerability/CVE-2018-16790,,"_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.",Mongodb,Libbson,8.1,HIGH,0.001829999964684248,false,,false,false,false,,,false,false,,2018-09-10T05:00:00.000Z,0 CVE-2018-13863,https://securityvulnerability.io/vulnerability/CVE-2018-13863,,The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.,Mongodb,Js-bson,7.5,HIGH,0.001019999966956675,false,,false,false,false,,,false,false,,2018-07-10T20:29:00.000Z,0 CVE-2017-15535,https://securityvulnerability.io/vulnerability/CVE-2017-15535,,"MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory.",Mongodb,Mongodb,9.1,CRITICAL,0.0014700000174343586,false,,false,false,false,,,false,false,,2017-11-01T01:00:00.000Z,0 CVE-2017-14227,https://securityvulnerability.io/vulnerability/CVE-2017-14227,,"In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c.",Mongodb,Mongodb,7.5,HIGH,0.009580000303685665,false,,false,false,false,,,false,false,,2017-09-09T08:00:00.000Z,0 CVE-2016-3104,https://securityvulnerability.io/vulnerability/CVE-2016-3104,,"mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database.",Mongodb,Mongodb,7.5,HIGH,0.0032500000670552254,false,,false,false,false,,,false,false,,2017-04-14T18:00:00.000Z,0