MongoDB Alerts

This page lists critical alerts and advisories for MongoDB. See the MongoDB JIRA for a comprehensive list of bugs and feature requests.

Data Integrity Related

10/12/2020

Possible Corruption of Backup Snapshots on certain MongoDB 4.2+ Products

Affects:

MongoDB Server

versions:

4.2+

06/16/2020

Possible buffer overflow may result cause in-memory corruption on MongoDB 4.2.7 with incremental backup enabled.

Affects:

MongoDB Server

versions:

4.2.7

01/09/2020

A memory management bug can cause lost documents and index inconsistencies on replica set secondaries that restart during index builds.

Affects:

MongoDB Server

versions:

4.2.0
4.2.1

01/07/2020

When MongoDB recovers from an unclean shutdown, it is possible for the recovery process to corrupt documents that have received size-changing updates.

Affects:

MongoDB Server

versions:

3.6.14
3.6.15

09/23/2019

A memory management bug can cause failed operations, process crashes, and in-memory corruption of data that may be persisted to disk.

Affects:

MongoDB Server

versions:

4.2.0

02/22/2018

We have identified a bug in MongoDB Compass where modification or deletion of a document through Compass may occur on a different document than expected under certain specific conditions.

Affects:

Compass

versions:

1.3.x - 1.11.1

05/03/2016

While a background index build is in progress, document updates modifying fields contained in the index specification may, under specific circumstances, cause mismatched index entries to appear. This has an impact on queries that use affected indexes.

Affects:

Indexing

versions:

3.0
3.2

03/30/2016

During chunk migrations, insert and update operations affecting data within a migrating chunk are not reflected to the recipient shard, resulting in data loss.

Affects:

Sharding

versions:

3.0.9
3.0.10

12/16/2015

In a replica set, if a secondary node is shut down cleanly while replicating writes, the node may mark certain replicated operations as successfully applied even though they have not.

Affects:

Replication

versions:

3.2.0

12/09/2015

A race condition in WiredTiger may prevent a write operation from becoming immediately visible to subsequent read operations, which may result in various problems, primarily impacting replication.

Affects:

WiredTiger

versions:

3.0.0 - 3.0.7

06/15/2015

Sharded clusters where the balancer is enabled (or there are manual chunk migrations), containing WiredTiger nodes that may become primary, may lose writes to a chunk being migrated if that chunk is under a heavy write load.

Affects:

Sharding

versions:

3.0.0 - 3.0.3

10/02/2014

MongoDB installations on certain 3.x Linux kernels running on VMWare and using virtual SCSI disks managed by LVM may see corruption in namespace (.ns) files.

Affects:

Storage

versions:

2.4.11
2.6.4

08/03/2014

An update to a text-indexed field may fail to update the text index. As a result, a text search may not match the field contents, yielding incorrect search results.

Affects:

Text Search

versions:

2.4.0 - 2.4.10
2.6.0

01/01/2014

Under very rare circumstances mongos may incorrectly report a write as successful.

Affects:

Sharding

versions:

2.2.0 - 2.2.6
2.4.0 - 2.4.8

10/21/2013

During a chunk migration in a sharded cluster, if one of the documents in the chunk has a size in the range of 16,776,185 and 16,777,216 bytes (inclusive), then some documents may be lost during the migration process

Affects:

Sharding

versions:

2.2.0 - 2.2.5
2.4.0 - 2.4.4

03/21/2013

Secondary indexes (i.e. all indexes other than _id) may be corrupted on an initial sync if write operations are performed on the sync source during the initial sync.

Affects:

Replication

versions:

2.4.0

Operations Related

10/29/2013

Caching of dbhash results may result in stale values, potentially causing disagreement among sharded cluster config servers.

Affects:

MongoDB Enterprise Kubernetes Operator

versions:

2.4.7

Security Related

08/21/2020
CVE-2020-7923
6.5

Specific GeoQuery can cause DoS against MongoDB Server

A user authorized to perform database queries may cause denial of service by issuing speci...

Affects:

MongoDB Server

versions:

4.5 affects versions prior to 4.5.1
4.4 affects versions prior to 4.4.0-rc7
4.2 affects versions prior to 4.2.8
4.0 affects versions prior to 4.0.19

05/13/2020
CVE-2019-2388
5.8

Potential exposure of log information in Ops Manager

In affected Ops Manager versions there is an exposed http route was that may allow attacke...

Affects:

Ops Manager

versions:

4.0.9
4.0.10
4.1.5

05/06/2020
CVE-2020-7921
4.6

Administrative action may disable enforcement of per-user IP whitelisting

Improper serialization of internal state in the authorization subsystem in MongoDB Server'...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.3
4.0 affects versions prior to 4.0.15
3.6 affects versions prior to 3.6.18
4.3 affects versions prior to 4.3.3

04/09/2020
CVE-2020-7922
6.4

Kubernetes Operator generates potentially insecure certificates

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an at...

Affects:

MongoDB Enterprise Kubernetes Operator

versions:

1.0
1.1
1.2 affects 1.2.4 and prior versions
1.3 affects 1.3.1 and prior versions
1.4 affects 1.4.4 and prior versions

03/31/2020
CVE-2019-2391
4.2

JS-bson may incorrectly serialise some requests

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BS...

Affects:

js-bson

versions:

1.0 affects 1.1.3 and prior versions

08/30/2019
CVE-2019-2390
8.2

Code execution on Windows via OpenSSL engine injection

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuratio...

Affects:

MongoDB Server

versions:

4.0 prior to 4.0.11
3.6 prior to 3.6.14
3.4 prior to 3.4.22

08/30/2019
CVE-2019-2389
5.3

Process termination via PID file manipulation

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow ...

Affects:

MongoDB Server

versions:

4.0 prior to 4.0.11
3.6 prior to 3.6.14
3.4 prior to 3.4.22

08/06/2019
CVE-2019-2386
7.1

Authorization session conflation

After user deletion in MongoDB Server the improper invalidation of authorization sessions ...

Affects:

MongoDB Server

versions:

v4.0 versions prior to 4.0.9
v3.6 versions prior to 3.6.13
v3.4 versions prior to 3.4.22