cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score CVE-2024-10921,https://securityvulnerability.io/vulnerability/CVE-2024-10921,Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server,"An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.",MongoDB,Mongodb Server,6.8,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-11-14T16:15:00.000Z,0 CVE-2024-8654,https://securityvulnerability.io/vulnerability/CVE-2024-8654,MongoDB Server May Experience Unexpected Behavior Due to Incorrect Memory Access,MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.,MongoDB,Mongodb Server,5,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-09-10T13:35:50.554Z,0 CVE-2024-8207,https://securityvulnerability.io/vulnerability/CVE-2024-8207,"Linux systems with MongoDB Server may load unintended libraries, potentially leading to unauthorized access","A specific vulnerability exists in certain configurations of the MongoDB Server installation on Linux Operating Systems. This issue arises when an unintended actor gains host-level access, potentially causing the MongoDB Server binary to load libraries that are controlled by the actor. This situation could result in the actor obtaining full control over the MongoDB server process, compromising the security of the data managed by the server. The vulnerability affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3. Users operating in Linux environments are advised to review their configurations to mitigate this risk. For further details, refer to the [MongoDB Jira reference](https://jira.mongodb.org/browse/SERVER-69507).",MongoDB,Mongodb Server,6.7,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-08-27T11:28:06.891Z,0 CVE-2024-6384,https://securityvulnerability.io/vulnerability/CVE-2024-6384,Underprivileged Users Can Access Sensitive Data via Backup Files in Previous MongoDB Versions,"""Hot"" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3",MongoDB,Mongodb Server,5.3,MEDIUM,0.0004900000058114529,false,false,false,false,,false,false,2024-08-13T14:22:22.847Z,0 CVE-2024-6375,https://securityvulnerability.io/vulnerability/CVE-2024-6375,Missing Authorization Check in MongoDB Shard Commands Can Lead to Security Risks,"A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.",MongoDB,Mongodb Server,6.5,MEDIUM,0.0004600000102072954,false,false,false,false,,false,false,2024-07-01T14:40:32.566Z,0 CVE-2024-3374,https://securityvulnerability.io/vulnerability/CVE-2024-3374,Fatal Assertion in Server Due to BSON Object Size Limit Exceedance,"An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5. ",MongoDB,Mongodb Server,5.3,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-05-14T13:26:42.389Z,0 CVE-2024-3372,https://securityvulnerability.io/vulnerability/CVE-2024-3372,MongoDB Server Vulnerability: Improper Metadata Validation May Cause Server Unavailability,"In MongoDB Server, a vulnerability exists due to improper validation of specific metadata input. This flaw may lead to issues in the server's ability to correctly serialize BSON, potentially enabling attackers to exploit the vulnerability pre-authentication. As a result, this can lead to unexpected behavior in applications, particularly affecting the serverStatus responses. Affected users utilizing versions v7.0 prior to 7.0.6, v6.0 prior to 6.0.14, and v5.0 prior to 5.0.25 should take immediate measures to update their systems to mitigate risk.",MongoDB,Mongodb Server,7.5,HIGH,0.0004299999854993075,false,false,false,false,,false,false,2024-05-14T13:24:05.097Z,0 CVE-2024-1351,https://securityvulnerability.io/vulnerability/CVE-2024-1351,"TLS Certificate Validation Bypass Vulnerability Affects MongoDB Server Versions Prior to 7.0.5, 6.0.13, 5.0.24, and 4.4.28","A significant vulnerability exists in MongoDB Server where specific configurations of --tlsCAFile and tls.CAFile can result in skipping peer certificate validation. This misconfiguration permits untrusted connections, which poses a substantial risk to overall security by undermining the efficacy of TLS. If the server is initiated with TLS enabled and the appropriate CAFile setting is not configured, it may allow incoming connections that would otherwise be rejected due to failed certificate validation. This flaw affects multiple versions of MongoDB Server across various releases, emphasizing the critical need for correct TLS configurations to maintain secure operations.",MongoDB,Mongodb Server,8.8,HIGH,0.0004400000034365803,false,false,false,false,,false,false,2024-03-07T16:10:19.597Z,0 CVE-2023-1409,https://securityvulnerability.io/vulnerability/CVE-2023-1409,Certificate validation issue in MongoDB Server running on Windows or macOS,"If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate. This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions. ",MongoDB,Mongodb Server,5.3,MEDIUM,0.0008099999977275729,false,false,false,false,,false,false,2023-08-23T16:15:00.000Z,0 CVE-2022-24272,https://securityvulnerability.io/vulnerability/CVE-2022-24272,MongoDB Server (mongod) may crash in response to unexpected requests,"An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.",MongoDB,Mongodb Server,6.5,MEDIUM,0.0009399999980814755,false,false,false,false,,false,false,2022-04-21T11:15:00.000Z,0 CVE-2021-32040,https://securityvulnerability.io/vulnerability/CVE-2021-32040,Large aggregation pipelines with a specific stage can crash mongod under default configuration,"It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16. Workaround: >= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash.",MongoDB,Mongodb Server,7.5,HIGH,0.004989999812096357,false,false,false,false,,false,false,2022-04-12T00:00:00.000Z,0 CVE-2021-32036,https://securityvulnerability.io/vulnerability/CVE-2021-32036,Denial of Service and Data Integrity vulnerability in features command,An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.3; MongoDB Server v4.4 versions prior to and including 4.4.9; MongoDB Server v4.2 versions prior to and including 4.2.16 and MongoDB Server v4.0 versions prior to and including 4.0.28,MongoDB,Mongodb Server,5.4,MEDIUM,0.0006799999973736703,false,false,false,false,,false,false,2022-02-04T00:00:00.000Z,0 CVE-2021-20330,https://securityvulnerability.io/vulnerability/CVE-2021-20330,Specific replication command with malformed oplog entries can crash secondaries,"An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.",MongoDB,Mongodb Server,6.5,MEDIUM,0.0008999999845400453,false,false,false,false,,false,false,2021-12-15T00:00:00.000Z,0 CVE-2021-32037,https://securityvulnerability.io/vulnerability/CVE-2021-32037,User may trigger invariant when allowed to send commands directly to shards,"An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.2.",MongoDB,Mongodb Server,6.5,MEDIUM,0.0008099999977275729,false,false,false,false,,false,false,2021-11-24T00:00:00.000Z,0 CVE-2021-20333,https://securityvulnerability.io/vulnerability/CVE-2021-20333,Server log entry spoofing via newline injection,Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10.,MongoDB,Mongodb Server,5.3,MEDIUM,0.0010600000387057662,false,false,false,false,,false,false,2021-07-23T00:00:00.000Z,0 CVE-2021-20326,https://securityvulnerability.io/vulnerability/CVE-2021-20326,Specially crafted query may result in a denial of service of mongod,A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4.,MongoDB,Mongodb Server,6.5,MEDIUM,0.0006300000241026282,false,false,false,false,,false,false,2021-04-30T00:00:00.000Z,0 CVE-2018-25004,https://securityvulnerability.io/vulnerability/CVE-2018-25004,Invariant failure when explaining a find with a UUID,A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11.,MongoDB,Mongodb Server,4.9,MEDIUM,0.0006300000241026282,false,false,false,false,,false,false,2021-03-01T17:15:00.000Z,0 CVE-2020-7929,https://securityvulnerability.io/vulnerability/CVE-2020-7929,Specially crafted regex query can cause DoS,A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.,MongoDB,Mongodb Server,6.5,MEDIUM,0.0006799999973736703,false,false,false,false,,false,false,2021-03-01T16:15:00.000Z,0 CVE-2019-20925,https://securityvulnerability.io/vulnerability/CVE-2019-20925,Denial of service via malformed network packet,"An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24. ",MongoDB,Mongodb Server,7.5,HIGH,0.0008699999889358878,false,false,false,false,,false,false,2020-11-24T00:00:00.000Z,0 CVE-2018-20805,https://securityvulnerability.io/vulnerability/CVE-2018-20805,Invariant with $elemMatch,"A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch . This issue affects MongoDB Server v4.0 versions prior to 4.0.5 and MongoDB Server v3.6 versions prior to 3.6.10.",MongoDB,Mongodb Server,6.5,MEDIUM,0.0006799999973736703,false,false,false,false,,false,false,2020-11-23T16:15:00.000Z,0 CVE-2019-2393,https://securityvulnerability.io/vulnerability/CVE-2019-2393,Crash while joining collections with $lookup,"A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13 and MongoDB Server v3.6 versions prior to 3.6.15.",MongoDB,Mongodb Server,6.5,MEDIUM,0.0006799999973736703,false,false,false,false,,false,false,2020-11-23T16:15:00.000Z,0 CVE-2018-20802,https://securityvulnerability.io/vulnerability/CVE-2018-20802,Post-auth queries on compound index may crash mongod,A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3.,MongoDB,Mongodb Server,6.5,MEDIUM,0.0006799999973736703,false,false,false,false,,false,false,2020-11-23T16:15:00.000Z,0 CVE-2018-20804,https://securityvulnerability.io/vulnerability/CVE-2018-20804,Invariant failure in applyOps,A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and MongoDB Server v3.6 versions prior to 3.6.13.,MongoDB,Mongodb Server,6.5,MEDIUM,0.0006300000241026282,false,false,false,false,,false,false,2020-11-23T16:15:00.000Z,0 CVE-2019-20923,https://securityvulnerability.io/vulnerability/CVE-2019-20923,Crash while handling internal Javascript exception types,"A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects MongoDB Server v4.0 versions prior to 4.0.7.",MongoDB,Mongodb Server,6.5,MEDIUM,0.0006799999973736703,false,false,false,false,,false,false,2020-11-23T16:15:00.000Z,0 CVE-2019-20924,https://securityvulnerability.io/vulnerability/CVE-2019-20924,Invariant in IndexBoundsBuilder,A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Server v4.2 versions prior to 4.2.2.,MongoDB,Mongodb Server,6.5,MEDIUM,0.0006799999973736703,false,false,false,false,,false,false,2020-11-23T16:15:00.000Z,0