MongoDB MongoDB NoSQL Database

stack.watch can notify you when security vulnerabilities are reported in any MongoDB product. You can add multiple products that you use with MongoDB to create your own personal software stack watcher.

Products by MongoDB Sorted by Most Security Vulnerabilities since 2018

MongoDB3 vulnerabilities
NoSQL Database

MongoDB Js Bson2 vulnerabilities

MongoDB Libbson1 vulnerability

MongoDB Bson1 vulnerability

MongoDB C Driver1 vulnerability

@MongoDB Tweets

Join us on Thursday (7/9), for a virtual session with @manuelreil from @alyne to learn about using MongoDB @realm w… https://t.co/PYpualq80M
Tue Jul 07 18:20:03 +0000 2020

In this Quick Start tutorial by @judy2k, learn how to connect your Rust application to a MongoDB cluster, create, r… https://t.co/wjyxie4ulp
Tue Jul 07 16:29:01 +0000 2020

RT @wayneoflife: We've rescheduled the MongoDB Community Show and Tell to this Wednesday at 11am EDT. Come join myself and @JoeKarlsson1 fr…
Mon Jul 06 22:52:59 +0000 2020

Indexes are great (seriously!), but it's easy to get carried away and make indexes that you'll never actually use.… https://t.co/S5xK73Iiu1
Mon Jul 06 18:54:02 +0000 2020

By the Year

In 2020 there have been 5 vulnerabilities in MongoDB with an average score of 6.5 out of ten. Last year MongoDB had 2 security vulnerabilities published. That is, 3 more vulnerabilities have already been reported in 2020 as compared to last year. However, the average CVE base score of the vulnerabilities in 2020 is greater by 0.85.

Year Vulnerabilities Average Score
2020 5 6.50
2019 2 5.65
2018 2 7.80

It may take a day or so for new MongoDB vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest MongoDB Security Vulnerabilities

Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action

CVE-2020-7921 5.3 - Medium - May 06, 2020

Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18.

AuthZ

bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values

CVE-2020-12135 5.5 - Medium - April 24, 2020

bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values. In particular, the bson_ensure_space() parameter bytesNeeded could have an integer overflow via properly constructed bson input.

Integer Overflow or Wraparound

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may

CVE-2020-7922 6.5 - Medium - April 09, 2020

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.

Improper Certificate Validation

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON

CVE-2019-2391 5.4 - Medium - March 31, 2020

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.

Marshaling, Unmarshaling

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data

CVE-2020-7610 9.8 - Critical - March 30, 2020

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

Marshaling, Unmarshaling

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts

CVE-2019-2389 4.2 - Medium - August 30, 2019

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.11; v3.6 versions prior to 3.6.14; v3.4 versions prior to 3.4.22.

Improper Input Validation

After user deletion in MongoDB Server the improper invalidation of authorization sessions

CVE-2019-2386 7.1 - High - August 06, 2019

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.

AuthZ

_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read

CVE-2018-16790 8.1 - High - September 10, 2018

_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.

Out-of-bounds Read

The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js

CVE-2018-13863 7.5 - High - July 10, 2018

The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8