MongoDB NoSQL Database
Products by MongoDB Sorted by Most Security Vulnerabilities since 2018
@MongoDB Tweets

Fri Mar 05 15:49:06 +0000 2021
By the Year
In 2021 there have been 1 vulnerability in MongoDB with an average score of 4.6 out of ten. Last year MongoDB had 10 security vulnerabilities published. Right now, MongoDB is on track to have less security vulnerabilities in 2021 than it did last year. Last year, the average CVE base score was greater by 2.00
Year | Vulnerabilities | Average Score |
---|---|---|
2021 | 1 | 4.60 |
2020 | 10 | 6.60 |
2019 | 2 | 5.65 |
2018 | 2 | 7.80 |
It may take a day or so for new MongoDB vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.
Latest MongoDB Security Vulnerabilities
For MongoDB Ops Manager 4.2.X with multiple OM application servers
CVE-2021-20335
4.6 - Medium
- February 11, 2021
For MongoDB Ops Manager 4.2.X with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager 4.4.X triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted.
Cleartext Transmission of Sensitive Information
Specially crafted API calls may
CVE-2020-7927
6.5 - Medium
- November 23, 2020
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2.
CVE-2020-7927 can be explotited with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries
CVE-2020-7928
6.5 - Medium
- November 23, 2020
A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.
CVE-2020-7928 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Incorrect validation of user input in the role name parser may lead to use of uninitialized memory
CVE-2020-7925
7.5 - High
- November 23, 2020
Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9.
CVE-2020-7925 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Improper Input Validation
A user authorized to perform database queries may cause denial of service by issuing a specially crafted query
CVE-2020-7926
6.5 - Medium
- November 23, 2020
A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects: MongoDB Server version 4.4 prior to 4.4.1. Versions before 4.4 are not affected.
CVE-2020-7926 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Improper Handling of Exceptional Conditions
A user authorized to perform database queries may cause denial of service by issuing specially crafted queries
CVE-2020-7923
6.5 - Medium
- August 21, 2020
A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc7; v4.2 versions prior to 4.2.8; v4.0 versions prior to 4.0.19.
CVE-2020-7923 can be explotited with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Improper Handling of Exceptional Conditions
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action
CVE-2020-7921
5.3 - Medium
- May 06, 2020
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18.
CVE-2020-7921 can be explotited with network access, and requires small amount of user privledges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.6 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
AuthZ
bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values
CVE-2020-12135
5.5 - Medium
- April 24, 2020
bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values. In particular, the bson_ensure_space() parameter bytesNeeded could have an integer overflow via properly constructed bson input.
CVE-2020-12135 can be explotited with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Integer Overflow or Wraparound
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may
CVE-2020-7922
6.5 - Medium
- April 09, 2020
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected. This issue affects: MongoDB Inc. MongoDB Enterprise Kubernetes Operator version 1.0, 1.1, 1.2 versions prior to 1.2.4, 1.3 versions prior to 1.3.1, 1.2, 1.4 versions prior to 1.4.4.
CVE-2020-7922 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Improper Certificate Validation
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON
CVE-2019-2391
5.4 - Medium
- March 31, 2020
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
CVE-2019-2391 can be explotited with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Marshaling, Unmarshaling
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data
CVE-2020-7610
9.8 - Critical
- March 30, 2020
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
CVE-2020-7610 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.
Marshaling, Unmarshaling
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts
CVE-2019-2389
4.2 - Medium
- August 30, 2019
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.11; v3.6 versions prior to 3.6.14; v3.4 versions prior to 3.4.22.
CVE-2019-2389 can be explotited with local system access, requires user interaction and user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 0.6 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Improper Input Validation
After user deletion in MongoDB Server the improper invalidation of authorization sessions
CVE-2019-2386
7.1 - High
- August 06, 2019
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.
CVE-2019-2386 is exploitable with network access, requires user interaction and a small amount of user privledges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.2 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
AuthZ
_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read
CVE-2018-16790
8.1 - High
- September 10, 2018
_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.
CVE-2018-16790 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a high impact on availability.
Out-of-bounds Read
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js
CVE-2018-13863
7.5 - High
- July 10, 2018
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
CVE-2018-13863 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.