MongoDB NoSQL Database
stack.watch can notify you when security vulnerabilities are reported in any MongoDB product. You can add multiple products that you use with MongoDB to create your own personal software stack watcher.
Products by MongoDB Sorted by Most Security Vulnerabilities since 2018
@MongoDB Tweets
Join us on Thursday (7/9), for a virtual session with @manuelreil from @alyne to learn about using MongoDB @realm w… https://t.co/PYpualq80M
Tue Jul 07 18:20:03 +0000 2020
Tue Jul 07 18:20:03 +0000 2020
In this Quick Start tutorial by @judy2k, learn how to connect your Rust application to a MongoDB cluster, create, r… https://t.co/wjyxie4ulp
Tue Jul 07 16:29:01 +0000 2020
Tue Jul 07 16:29:01 +0000 2020
RT @wayneoflife: We've rescheduled the MongoDB Community Show and Tell to this Wednesday at 11am EDT. Come join myself and @JoeKarlsson1 fr…
Mon Jul 06 22:52:59 +0000 2020
Mon Jul 06 22:52:59 +0000 2020
Indexes are great (seriously!), but it's easy to get carried away and make indexes that you'll never actually use.… https://t.co/S5xK73Iiu1
Mon Jul 06 18:54:02 +0000 2020
Mon Jul 06 18:54:02 +0000 2020
By the Year
In 2020 there have been 5 vulnerabilities in MongoDB with an average score of 6.5 out of ten. Last year MongoDB had 2 security vulnerabilities published. That is, 3 more vulnerabilities have already been reported in 2020 as compared to last year. However, the average CVE base score of the vulnerabilities in 2020 is greater by 0.85.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2020 | 5 | 6.50 |
| 2019 | 2 | 5.65 |
| 2018 | 2 | 7.80 |
It may take a day or so for new MongoDB vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.
Latest MongoDB Security Vulnerabilities
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action
CVE-2020-7921
5.3 - Medium
- May 06, 2020
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18.
AuthZ
bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values
CVE-2020-12135
5.5 - Medium
- April 24, 2020
bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values. In particular, the bson_ensure_space() parameter bytesNeeded could have an integer overflow via properly constructed bson input.
Integer Overflow or Wraparound
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may
CVE-2020-7922
6.5 - Medium
- April 09, 2020
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.
Improper Certificate Validation
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON
CVE-2019-2391
5.4 - Medium
- March 31, 2020
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Marshaling, Unmarshaling
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data
CVE-2020-7610
9.8 - Critical
- March 30, 2020
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Marshaling, Unmarshaling
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts
CVE-2019-2389
4.2 - Medium
- August 30, 2019
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.11; v3.6 versions prior to 3.6.14; v3.4 versions prior to 3.4.22.
Improper Input Validation
After user deletion in MongoDB Server the improper invalidation of authorization sessions
CVE-2019-2386
7.1 - High
- August 06, 2019
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.
AuthZ
_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read
CVE-2018-16790
8.1 - High
- September 10, 2018
_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.
Out-of-bounds Read
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js
CVE-2018-13863
7.5 - High
- July 10, 2018