cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score CVE-2024-10921,https://securityvulnerability.io/vulnerability/CVE-2024-10921,Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server,"An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.",MongoDB,Mongodb Server,6.8,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-11-14T16:15:00.000Z,0 CVE-2024-8013,https://securityvulnerability.io/vulnerability/CVE-2024-8013,Data Exposure in MongoDB Enterprise Server Due to Bug in Query Analysis,"A vulnerability exists within the query analysis mechanism of MongoDB Enterprise Server, specifically in complex self-referential $lookup subpipelines. This issue can lead to encrypted fields being transmitted to the server as plaintext, rather than maintaining their intended encrypted state. As a result, no documents are returned or created during these operations, potentially exposing sensitive information. The affected components include specific versions of the mongocryptd binary and the mongo_crypt_v1.so shared libraries. Corrective actions may be necessary for versions released prior to specified updates to ensure data security and integrity.",Mongodb,"Mongo Crypt V1.so,Mongocryptd",3.3,LOW,0.0004299999854993075,false,false,false,false,,false,false,2024-10-28T13:15:00.000Z,0 CVE-2024-8305,https://securityvulnerability.io/vulnerability/CVE-2024-8305,Index Constraint Enforcement Issues in MongoDB Server,"A vulnerability exists in MongoDB Server related to the incorrect enforcement of index constraints on secondary instances. This could lead to the failure of multiple secondary nodes, which in turn may result in the loss of primary node functionality and disrupt database operations. The issue primarily affects MongoDB Server versions 6.0 prior to 6.0.17, 7.0 prior to 7.0.13, and 7.3 prior to 7.3.4, and poses significant risks to data integrity and availability in production environments.",Mongodb,Mongodb,6.5,MEDIUM,0.0004400000034365803,false,false,false,false,,false,false,2024-10-21T15:15:00.000Z,0 CVE-2024-8654,https://securityvulnerability.io/vulnerability/CVE-2024-8654,MongoDB Server May Experience Unexpected Behavior Due to Incorrect Memory Access,MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.,MongoDB,Mongodb Server,5,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-09-10T13:35:50.554Z,0 CVE-2024-8207,https://securityvulnerability.io/vulnerability/CVE-2024-8207,"Linux systems with MongoDB Server may load unintended libraries, potentially leading to unauthorized access","A specific vulnerability exists in certain configurations of the MongoDB Server installation on Linux Operating Systems. This issue arises when an unintended actor gains host-level access, potentially causing the MongoDB Server binary to load libraries that are controlled by the actor. This situation could result in the actor obtaining full control over the MongoDB server process, compromising the security of the data managed by the server. The vulnerability affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3. Users operating in Linux environments are advised to review their configurations to mitigate this risk. For further details, refer to the [MongoDB Jira reference](https://jira.mongodb.org/browse/SERVER-69507).",MongoDB,Mongodb Server,6.7,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-08-27T11:28:06.891Z,0 CVE-2024-6384,https://securityvulnerability.io/vulnerability/CVE-2024-6384,Underprivileged Users Can Access Sensitive Data via Backup Files in Previous MongoDB Versions,"""Hot"" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3",MongoDB,Mongodb Server,5.3,MEDIUM,0.0004900000058114529,false,false,false,false,,false,false,2024-08-13T14:22:22.847Z,0 CVE-2024-7553,https://securityvulnerability.io/vulnerability/CVE-2024-7553,Local Privilege Escalation Vulnerability Affects MongoDB Servers,"A vulnerability exists in MongoDB Server software that arises from improper validation of files loaded from local untrusted directories on Windows operating systems. This weakness could allow for local privilege escalation, leading to the execution of arbitrary actions based on the content of untrusted files. Specifically, MongoDB Server versions prior to specified releases as well as the MongoDB C and PHP Drivers are impacted. To mitigate potential risks, users are advised to upgrade to the latest versions of affected products.",MongoDB,Mongodb,7.8,HIGH,0.0004199999966658652,false,false,false,false,,false,false,2024-08-07T10:15:00.000Z,0 CVE-2024-6383,https://securityvulnerability.io/vulnerability/CVE-2024-6383,Buffer Overflow Vulnerability in MongoDB C Driver Could Lead to Memory Corruption,The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1,MongoDB,Libbson,5.3,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-07-03T22:15:00.000Z,0 CVE-2024-6381,https://securityvulnerability.io/vulnerability/CVE-2024-6381,"MongoDB C Driver Library Vulnerable to Integer Overflow, May Cause Memory Corruption",The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2,MongoDB,,,,0.0004299999854993075,false,false,false,false,,false,false,2024-07-02T18:15:00.000Z,0 CVE-2024-6382,https://securityvulnerability.io/vulnerability/CVE-2024-6382,Unintended Server Commands May Cause Unexpected Application Behavior,Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2,MongoDB,,,,0.0004299999854993075,false,false,false,false,,false,false,2024-07-02T18:15:00.000Z,0 CVE-2024-6376,https://securityvulnerability.io/vulnerability/CVE-2024-6376,MongoDB Compass Vulnerable to Code Injection Due to Sandbox Protection Settings,"A critical security vulnerability has been discovered in MongoDB Compass, identified as CVE-2024-6376, potentially exposing systems to code injection attacks. This flaw affects versions of MongoDB Compass prior to 1.42.2 and has been assigned a CVSS score of 9.8, indicating a high severity level. The vulnerability may allow attackers to execute arbitrary code, alter control flow, and gain unauthorized control of system resources. To mitigate the risk, users and administrators are strongly advised to update MongoDB Compass to version 1.42.2 or newer immediately. It is important for organizations to prioritize this update as part of their security maintenance procedures to prevent potential attacks.",MongoDB,Mongodb Compass,9.8,CRITICAL,0.0006000000284984708,false,true,false,false,,false,false,2024-07-01T14:57:31.704Z,0 CVE-2024-6375,https://securityvulnerability.io/vulnerability/CVE-2024-6375,Missing Authorization Check in MongoDB Shard Commands Can Lead to Security Risks,"A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.",MongoDB,Mongodb Server,6.5,MEDIUM,0.0004600000102072954,false,false,false,false,,false,false,2024-07-01T14:40:32.566Z,0 CVE-2024-5629,https://securityvulnerability.io/vulnerability/CVE-2024-5629,Out-of-bounds read in bson module of PyMongo,"An out-of-bounds read was identified in the bson module of PyMongo versions prior to 4.6.3. This vulnerability permits the deserialization of malformed BSON data sent from a server, which can trigger an exception potentially exposing arbitrary application memory. The implications of this vulnerability could lead to unauthorized access to sensitive data or system instability. Users are advised to upgrade to the latest version of PyMongo to mitigate risks associated with this vulnerability.",MongoDB,Pymongo,8.1,HIGH,0.0007999999797903001,false,false,false,false,,false,false,2024-06-05T15:15:00.000Z,0 CVE-2024-3374,https://securityvulnerability.io/vulnerability/CVE-2024-3374,Fatal Assertion in Server Due to BSON Object Size Limit Exceedance,"An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5. ",MongoDB,Mongodb Server,5.3,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-05-14T13:26:42.389Z,0 CVE-2024-3372,https://securityvulnerability.io/vulnerability/CVE-2024-3372,MongoDB Server Vulnerability: Improper Metadata Validation May Cause Server Unavailability,"In MongoDB Server, a vulnerability exists due to improper validation of specific metadata input. This flaw may lead to issues in the server's ability to correctly serialize BSON, potentially enabling attackers to exploit the vulnerability pre-authentication. As a result, this can lead to unexpected behavior in applications, particularly affecting the serverStatus responses. Affected users utilizing versions v7.0 prior to 7.0.6, v6.0 prior to 6.0.14, and v5.0 prior to 5.0.25 should take immediate measures to update their systems to mitigate risk.",MongoDB,Mongodb Server,7.5,HIGH,0.0004299999854993075,false,false,false,false,,false,false,2024-05-14T13:24:05.097Z,0 CVE-2024-3371,https://securityvulnerability.io/vulnerability/CVE-2024-3371,MongoDB Compass Vulnerability Could Lead to Data Disclosure and User Impersonation,"MongoDB Compass has a vulnerability that stems from inadequate validation of input received from untrusted external sources. This flaw can lead to unexpected application behaviors, including the potential for unauthorized data exposure and user impersonation. It is critical for users and administrators of MongoDB Compass, particularly from versions 1.35.0 to 1.42.0, to mitigate this issue promptly to protect sensitive information from being compromised.",MongoDB,Mongodb Compass,7.1,HIGH,0.0004299999854993075,false,false,false,false,,false,false,2024-04-24T17:15:00.000Z,0 CVE-2024-1351,https://securityvulnerability.io/vulnerability/CVE-2024-1351,"TLS Certificate Validation Bypass Vulnerability Affects MongoDB Server Versions Prior to 7.0.5, 6.0.13, 5.0.24, and 4.4.28","A significant vulnerability exists in MongoDB Server where specific configurations of --tlsCAFile and tls.CAFile can result in skipping peer certificate validation. This misconfiguration permits untrusted connections, which poses a substantial risk to overall security by undermining the efficacy of TLS. If the server is initiated with TLS enabled and the appropriate CAFile setting is not configured, it may allow incoming connections that would otherwise be rejected due to failed certificate validation. This flaw affects multiple versions of MongoDB Server across various releases, emphasizing the critical need for correct TLS configurations to maintain secure operations.",MongoDB,Mongodb Server,8.8,HIGH,0.0004400000034365803,false,false,false,false,,false,false,2024-03-07T16:10:19.597Z,0 CVE-2023-0437,https://securityvulnerability.io/vulnerability/CVE-2023-0437,MongoDB client C Driver may infinitely loop when validating certain BSON input data,"An issue has been identified within the MongoDB C Driver where the bson_utf8_validate function may enter an infinite loop when processing certain inputs. This situation arises due to a specific exit condition that cannot be met, leading to prolonged resource usage and potential service disruptions. All versions prior to 1.25.0 of the MongoDB C Driver are impacted, necessitating immediate updates to prevent exploitation of this vulnerability.",MongoDB,Mongodb C Driver,5.3,MEDIUM,0.0005499999970197678,false,false,false,false,,false,false,2024-01-12T13:33:39.503Z,0 CVE-2023-0436,https://securityvulnerability.io/vulnerability/CVE-2023-0436,"Secret logging may occur in debug mode of Atlas Operator ","The MongoDB Atlas Kubernetes Operator has a vulnerability that allows the possibility of exposing sensitive information, including GCP service account keys and API integration secrets, when DEBUG mode logging is enabled. This issue affects specific versions of the operator and occurs due to improper logging configurations that end-users can set. Notably, DEBUG mode must be deliberately enabled by users, as it is not the default setting. For those operating on the affected versions, it is essential to review the deployment configuration and consider upgrading to the latest supported version to maintain security integrity.",MongoDB,MongoDB Atlas Kubernetes Operator,7.5,HIGH,0.0012700000079348683,false,false,false,false,,false,false,2023-11-07T12:15:00.000Z,0 CVE-2021-32050,https://securityvulnerability.io/vulnerability/CVE-2021-32050,Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application,"Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0). ",MongoDB,"Mongodb C Driver,Mongodb C++ Driver,Mongodb PHP Driver,Mongodb Swift Driver,Mongodb Node.js Driver",4.2,MEDIUM,0.00203999993391335,false,false,false,false,,false,false,2023-08-29T15:24:30.389Z,0 CVE-2023-1409,https://securityvulnerability.io/vulnerability/CVE-2023-1409,Certificate validation issue in MongoDB Server running on Windows or macOS,"If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate. This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions. ",MongoDB,Mongodb Server,5.3,MEDIUM,0.0008099999977275729,false,false,false,false,,false,false,2023-08-23T16:15:00.000Z,0 CVE-2023-4009,https://securityvulnerability.io/vulnerability/CVE-2023-4009,Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager,"An authenticated user with project owner or project user admin access in MongoDB Ops Manager versions prior to 5.0.22 and 6.0.17 can exploit a vulnerability to generate an API key with org owner privileges. This allows for unauthorized access and potential manipulation of data, posing a significant security risk. Organizations using affected versions should promptly update to mitigate this concern.",MongoDB,Mongodb Ops Manager,7.2,HIGH,0.0017600000137463212,false,false,false,false,,false,false,2023-08-08T09:15:00.000Z,0 CVE-2023-0342,https://securityvulnerability.io/vulnerability/CVE-2023-0342,MongoDB Ops Manager may disclose sensitive information in Diagnostic Archive,"MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12 ",MongoDB,"MongoDB Ops Manager ",5.3,MEDIUM,0.011789999902248383,false,false,false,false,,false,false,2023-06-09T00:00:00.000Z,0 CVE-2022-48282,https://securityvulnerability.io/vulnerability/CVE-2022-48282,Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution,"Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0 Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND * Application must be running on a Windows host using the full .NET Framework, not .NET Core AND * Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND * Malicious attacker must have unrestricted insert access to target database to add a _t discriminator.""Following configuration must be true for the vulnerability to be applicable ",MongoDB,Mongodb .net/c# Driver,6.6,MEDIUM,0.0009899999713525176,false,false,false,false,,false,false,2023-02-21T18:35:11.643Z,0 CVE-2022-24272,https://securityvulnerability.io/vulnerability/CVE-2022-24272,MongoDB Server (mongod) may crash in response to unexpected requests,"An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.",MongoDB,Mongodb Server,6.5,MEDIUM,0.0009399999980814755,false,false,false,false,,false,false,2022-04-21T11:15:00.000Z,0