MongoDB MongoDB NoSQL Database

stack.watch can notify you when security vulnerabilities are reported in any MongoDB product. You can add multiple products that you use with MongoDB to create your own personal software stack watcher.

Products by MongoDB Sorted by Most Security Vulnerabilities since 2018

MongoDB4 vulnerabilities
NoSQL Database

MongoDB Js Bson2 vulnerabilities

MongoDB C Driver1 vulnerability

MongoDB Libbson1 vulnerability

MongoDB Bson1 vulnerability

@MongoDB Tweets

.@Forbes migrated its apps to @googlecloud and MongoDB Atlas - here's what happened: - 58% faster build time for n… https://t.co/bKJEE3S0wA
Tue Sep 29 17:52:04 +0000 2020

New to MongoDB? Start with our free and newly revamped M001 - Intro to MongoDB course on MongoDB University! Learn… https://t.co/bUyrqjH23p
Tue Sep 29 13:32:39 +0000 2020

Don't be shy. Share a �� of your machine. Bonus points for a MongoDB sticker. We don't make the rules. (via… https://t.co/dOY6DdFy9w
Mon Sep 28 16:50:08 +0000 2020

RT @JoeKarlsson1: Going live today at *1:30 pm ET today with @TimirahJ! If you want to have a laugh with us about Programmer Memes, then yo…
Fri Sep 25 17:02:57 +0000 2020

By the Year

In 2020 there have been 6 vulnerabilities in MongoDB with an average score of 6.5 out of ten. Last year MongoDB had 2 security vulnerabilities published. That is, 4 more vulnerabilities have already been reported in 2020 as compared to last year. However, the average CVE base score of the vulnerabilities in 2020 is greater by 0.85.

Year Vulnerabilities Average Score
2020 6 6.50
2019 2 5.65
2018 2 7.80

It may take a day or so for new MongoDB vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest MongoDB Security Vulnerabilities

A user authorized to perform database queries may cause denial of service by issuing specially crafted queries

CVE-2020-7923 6.5 - Medium - August 21, 2020

A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects: MongoDB Inc. MongoDB Server v4.5 versions prior to 4.5.1; v4.4 versions prior to 4.4.0-rc7; v4.2 versions prior to 4.2.8; v4.0 versions prior to 4.0.19.

CVE-2020-7923 can be explotited with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Improper Handling of Exceptional Conditions

Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action

CVE-2020-7921 5.3 - Medium - May 06, 2020

Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18.

CVE-2020-7921 can be explotited with network access, and requires small amount of user privledges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.6 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

AuthZ

bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values

CVE-2020-12135 5.5 - Medium - April 24, 2020

bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values. In particular, the bson_ensure_space() parameter bytesNeeded could have an integer overflow via properly constructed bson input.

CVE-2020-12135 can be explotited with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Integer Overflow or Wraparound

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may

CVE-2020-7922 6.5 - Medium - April 09, 2020

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.

CVE-2020-7922 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Improper Certificate Validation

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON

CVE-2019-2391 5.4 - Medium - March 31, 2020

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.

CVE-2019-2391 can be explotited with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Marshaling, Unmarshaling

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data

CVE-2020-7610 9.8 - Critical - March 30, 2020

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

CVE-2020-7610 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Marshaling, Unmarshaling

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts

CVE-2019-2389 4.2 - Medium - August 30, 2019

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.11; v3.6 versions prior to 3.6.14; v3.4 versions prior to 3.4.22.

CVE-2019-2389 can be explotited with local system access, requires user interaction and user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 0.6 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Improper Input Validation

After user deletion in MongoDB Server the improper invalidation of authorization sessions

CVE-2019-2386 7.1 - High - August 06, 2019

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.

CVE-2019-2386 is exploitable with network access, requires user interaction and a small amount of user privledges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.2 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

AuthZ

_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read

CVE-2018-16790 8.1 - High - September 10, 2018

_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.

CVE-2018-16790 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a high impact on availability.

Out-of-bounds Read

The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js

CVE-2018-13863 7.5 - High - July 10, 2018

The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.

CVE-2018-13863 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8