MongoDB Alerts

June 16, 2020

MongoDB Server

Possible buffer overflow may result cause in-memory corruption on MongoDB 4.2.7 with incremental backup enabled.

4.2.7

4.2.8

January 09, 2020

MongoDB Server

A memory management bug can cause lost documents and index inconsistencies on replica set secondaries that restart during index builds.

4.2.0,4.2.1

4.2.2

December 07, 2019

MongoDB Server

When MongoDB recovers from an unclean shutdown, it is possible for the recovery process to corrupt documents that have received size-changing updates.

3.6.14,3.6.15

3.6.16

October 23, 2019

MongoDB Server

A memory management bug can cause failed operations, process crashes, and in-memory corruption of data that may be persisted to disk.

4.2.0

4.2.1

February 22, 2018

Compass

We have identified a bug in MongoDB Compass where modification or deletion of a document through Compass may occur on a different document than expected under certain specific conditions.

1.3.x to 1.11.1

1.11.2 and 1.12.0-beta.4

May 04, 2016

Indexing

While a background index build is in progress, document updates modifying fields contained in the index specification may, under specific circumstances, cause mismatched index entries to appear. This has an impact on queries that use affected indexes.

3.0, 3.2

3.2.6, 3.0.12

March 31, 2016

Sharding

During chunk migrations, insert and update operations affecting data within a migrating chunk are not reflected to the recipient shard, resulting in data loss.

3.0.9, 3.0.10

3.0.11

December 16, 2015

Replication

In a replica set, if a secondary node is shut down cleanly while replicating writes, the node may mark certain replicated operations as successfully applied even though they have not.

3.2.0

3.2.1

December 10, 2015

WiredTiger

A race condition in WiredTiger may prevent a write operation from becoming immediately visible to subsequent read operations, which may result in various problems, primarily impacting replication.

3.0.0-3.0.7

3.0.8

June 16, 2015

Sharding

Sharded clusters where the balancer is enabled (or there are manual chunk migrations), containing WiredTiger nodes that may become primary, may lose writes to a chunk being migrated if that chunk is under a heavy write load.

3.0.0 - 3.0.3

3.0.4

October 03, 2014

Storage

MongoDB installations on certain 3.x Linux kernels running on VMWare and using virtual SCSI disks managed by LVM may see corruption in namespace (.ns) files.

2.4.11, 2.6.4

2.4.12, 2.6.5

August 04, 2014

Text Search

An update to a text-indexed field may fail to update the text index. As a result, a text search may not match the field contents, yielding incorrect search results.

2.4.0 - 2.4.10, 2.6.0 - 2.6.3

2.4.11, 2.6.4

January 02, 2014

Sharding

Under very rare circumstances mongos may incorrectly report a write as successful.

2.2.0 - 2.2.6, 2.4.0 - 2.4.8

2.2.7, 2.4.9

October 22, 2013

Sharding

During a chunk migration in a sharded cluster, if one of the documents in the chunk has a size in the range of 16,776,185 and 16,777,216 bytes (inclusive), then some documents may be lost during the migration process.

2.2.0 - 2.2.5, 2.4.0 - 2.4.4

2.2.6, 2.4.6

March 22, 2013

Replication

Secondary indexes (i.e. all indexes other than _id) may be corrupted on an initial sync if write operations are performed on the sync source during the initial sync.

2.4.0

2.4.1

May 06, 2020

MongoDB Server

Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action.

MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18.

4.2.3, 4.3.3, 4.0.15, 3.6.18

CVE-2020-7921

August 31, 2019

MongoDB Tools

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utility.

4.0.0 to 4.0.10, 3.6.0 to 3.6.13, 3.4.0 to 3.4.21

4.0.11, 3.6.14,3.4.22

CVE-2019-2390

August 31, 2019

MongoDB Server

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init.

4.0.0 to 4.0.10, 3.6.0 to 3.6.13, 3.4.0 to 3.4.21

4.0.11, 3.6.14,3.4.22

CVE-2019-2389

August 07, 2019

MongoDB Server

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones.

4.0.0 to 4.0.8, 3.6.0 to 3.6.12, 3.4.0 to 3.4.21

4.0.9, 3.6.13,3.4.22

CVE-2019-2386

October 31, 2017

mongod

When wire protocol compression is enabled, a malicious attacker may exploit an existing vulnerability to deny service or modify server memory.

3.4.0 to 3.4.9

3.4.10

CVE-2017-15535

August 28, 2017

mongod

When using the WiredTiger storage engine, an admin command can be issued to write statistic logs to a specific file.

3.0.0-3.0.14(with WiredTiger enabled), 3.2.0-3.2.8

3.0.14, 3.2.8

CVE-2017-12926

May 03, 2017

mongo shell

The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files.

2.0, 2.2, 2.4, 2.6, 2.8, 3.014 and earlier, 3.2.14 and earlier

3.0.15, 3.2.14, 3.4

CVE-2016-6494

June 02, 2016

mongod

Allows remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database.

2.4, 2.6 (with 2.4-style users)

2.6

CVE-2016-3104

December 01, 2015

Security

Unauthorized access to a MongoDB instance or cluster when using LDAP authentication.

MongoDB Enterprise 3.0.0 to 3.0.6

3.0.7

CVE-2015-7882

March 27, 2015

mongod

Remotely trigger a denial of service (crash) due to failure to check for missing value.

3.0.0

3.0.1

CVE-2015-2705

March 25, 2015

mongod

Remotely trigger a denial of service (crash) via a specially crafted regular expression.

2.6.8 and earlier, 3.0.0

2.6.9 and 3.0.1

CVE-2014-8964

February 25, 2015

mongod

A specially crafted, malformed BSON message may trigger an uncaught exception in the server, resulting in a loss of availability

2.6.7 and earlier, 2.4.12 and earlier

2.6.8 and 2.4.13

CVE-2015-1609

June 17, 2014

mongod

Remotely trigger a crash when X.509 authentication is enabled

2.6.0, 2.6.1

2.6.2

CVE-2014-3971

May 05, 2014

mongod

Information disclosure of user credentials

2.6.0

2.6.1

CVE-2014-2917

June 20, 2013

Concurrency, Security

Improperly grant user system privileges on databases other than local.

2.4.0 - 2.4.4, 2.5.0

2.4.5, 2.5.1

CVE-2013-4650

June 05, 2013

JS Engine

Remotely triggered segmentation fault in Javascript engine.

2.4.0 - 2.4.4

2.4.5, 2.5.1

CVE-2013-3969

February 02, 2013

mongo Shell

It is possible to create documents that collide with JavaScript functions when fetched using the mongo shell.

2.2.3, 2.4.1, and earlier

3.2.4, 3.3.2

n/a