MongoDB NoSQL Database
Products by MongoDB Sorted by Most Security Vulnerabilities since 2018
@MongoDB Tweets
Thu Dec 03 02:51:39 +0000 2020
Thu Dec 03 02:47:50 +0000 2020
By the Year
In 2020 there have been 6 vulnerabilities in MongoDB with an average score of 6.5 out of ten. Last year MongoDB had 2 security vulnerabilities published. That is, 4 more vulnerabilities have already been reported in 2020 as compared to last year. However, the average CVE base score of the vulnerabilities in 2020 is greater by 0.85.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2020 | 6 | 6.50 |
| 2019 | 2 | 5.65 |
| 2018 | 2 | 7.80 |
It may take a day or so for new MongoDB vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.
Latest MongoDB Security Vulnerabilities
A user authorized to perform database queries may cause denial of service by issuing specially crafted queries
CVE-2020-7923
6.5 - Medium
- August 21, 2020
A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects: MongoDB Inc. MongoDB Server v4.5 versions prior to 4.5.1; v4.4 versions prior to 4.4.0-rc7; v4.2 versions prior to 4.2.8; v4.0 versions prior to 4.0.19.
CVE-2020-7923 can be explotited with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Improper Handling of Exceptional Conditions
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action
CVE-2020-7921
5.3 - Medium
- May 06, 2020
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18.
CVE-2020-7921 can be explotited with network access, and requires small amount of user privledges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.6 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
AuthZ
bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values
CVE-2020-12135
5.5 - Medium
- April 24, 2020
bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values. In particular, the bson_ensure_space() parameter bytesNeeded could have an integer overflow via properly constructed bson input.
CVE-2020-12135 can be explotited with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Integer Overflow or Wraparound
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may
CVE-2020-7922
6.5 - Medium
- April 09, 2020
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.
CVE-2020-7922 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Improper Certificate Validation
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON
CVE-2019-2391
5.4 - Medium
- March 31, 2020
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
CVE-2019-2391 can be explotited with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Marshaling, Unmarshaling
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data
CVE-2020-7610
9.8 - Critical
- March 30, 2020
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
CVE-2020-7610 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.
Marshaling, Unmarshaling
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts
CVE-2019-2389
4.2 - Medium
- August 30, 2019
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.11; v3.6 versions prior to 3.6.14; v3.4 versions prior to 3.4.22.
CVE-2019-2389 can be explotited with local system access, requires user interaction and user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 0.6 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Improper Input Validation
After user deletion in MongoDB Server the improper invalidation of authorization sessions
CVE-2019-2386
7.1 - High
- August 06, 2019
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.
CVE-2019-2386 is exploitable with network access, requires user interaction and a small amount of user privledges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.2 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
AuthZ
_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read
CVE-2018-16790
8.1 - High
- September 10, 2018
_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.
CVE-2018-16790 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a high impact on availability.
Out-of-bounds Read
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js
CVE-2018-13863
7.5 - High
- July 10, 2018
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
CVE-2018-13863 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.