This page lists critical alerts and advisories for MongoDB.
See the MongoDB JIRA for a comprehensive list of bugs and feature requests.
Data Integrity Related
| Date | Component | Description | Affects Versions | Fixed in Versions | Ref |
|---|---|---|---|---|---|
February 22, 2018 | Compass | We have identified a bug in MongoDB Compass where modification or deletion of a document through Compass may occur on a different document than expected under certain specific conditions. | 1.3.x to 1.11.1 | 1.11.2 and 1.12.0-beta.4 | MongoDB Compass Alert Details |
May 04, 2016 | Indexing | While a background index build is in progress, document updates modifying fields contained in the index specification may, under specific circumstances, cause mismatched index entries to appear. This has an impact on queries that use affected indexes. | 3.0, 3.2 | 3.2.6, 3.0.12 | SERVER-22970 |
March 31, 2016 | Sharding | During chunk migrations, insert and update operations affecting data within a migrating chunk are not reflected to the recipient shard, resulting in data loss. | 3.0.9, 3.0.10 | 3.0.11 | SERVER-23425 |
December 16, 2015 | Replication | In a replica set, if a secondary node is shut down cleanly while replicating writes, the node may mark certain replicated operations as successfully applied even though they have not. | 3.2.0 | 3.2.1 | SERVER-21868 |
December 10, 2015 | WiredTiger | A race condition in WiredTiger may prevent a write operation from becoming immediately visible to subsequent read operations, which may result in various problems, primarily impacting replication. | 3.0.0-3.0.7 | 3.0.8 | SERVER-21275 |
June 16, 2015 | Sharding | Sharded clusters where the balancer is enabled (or there are manual chunk migrations), containing WiredTiger nodes that may become primary, may lose writes to a chunk being migrated if that chunk is under a heavy write load. | 3.0.0 - 3.0.3 | 3.0.4 | SERVER-18822 |
October 03, 2014 | Storage | MongoDB installations on certain 3.x Linux kernels running on VMWare and using virtual SCSI disks managed by LVM may see corruption in namespace (.ns) files. | 2.4.11, 2.6.4 | 2.4.12, 2.6.5 | SERVER-15369 |
August 04, 2014 | Text Search | An update to a text-indexed field may fail to update the text index. As a result, a text search may not match the field contents, yielding incorrect search results. | 2.4.0 - 2.4.10, 2.6.0 - 2.6.3 | 2.4.11, 2.6.4 | SERVER-14738 |
January 02, 2014 | Sharding | Under very rare circumstances mongos may incorrectly report a write as successful. | 2.2.0 - 2.2.6, 2.4.0 - 2.4.8 | 2.2.7, 2.4.9 | SERVER-12146 |
October 22, 2013 | Sharding | During a chunk migration in a sharded cluster, if one of the documents in the chunk has a size in the range of 16,776,185 and 16,777,216 bytes (inclusive), then some documents may be lost during the migration process. | 2.2.0 - 2.2.5, 2.4.0 - 2.4.4 | 2.2.6, 2.4.6 | SERVER-10478 |
March 22, 2013 | Replication | Secondary indexes (i.e. all indexes other than _id) may be corrupted on an initial sync if write operations are performed on the sync source during the initial sync. | 2.4.0 | 2.4.1 | SERVER-9087 |
Operations Related
| Date | Component | Description | Affects Versions | Fixed in Versions | Ref |
|---|---|---|---|---|---|
October 30, 2013 | Sharding | Caching of dbhash results may result in stale values, potentially causing disagreement among sharded cluster config servers. | 2.4.7 | 2.4.8 | SERVER-11421 |
Security Related
| Date | Component | Description | Affects Versions | Fixed in Versions | CVE | Ref |
|---|---|---|---|---|---|---|
August 31, 2019 | MongoDB Tools | An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utility. | 4.0.0 to 4.0.10, 3.6.0 to 3.6.13, 3.4.0 to 3.4.21 | 4.0.11, 3.6.14,3.4.22 | CVE-2019-2390 | SERVER-42233 |
August 31, 2019 | MongoDB Server | Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. | 4.0.0 to 4.0.10, 3.6.0 to 3.6.13, 3.4.0 to 3.4.21 | 4.0.11, 3.6.14,3.4.22 | CVE-2019-2389 | SERVER-40563 |
August 07, 2019 | MongoDB Server | After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. | 4.0.0 to 4.0.8, 3.6.0 to 3.6.12, 3.4.0 to 3.4.21 | 4.0.9, 3.6.13,3.4.22 | CVE-2019-2386 | SERVER-38984 |
October 31, 2017 | mongod | When wire protocol compression is enabled, a malicious attacker may exploit an existing vulnerability to deny service or modify server memory. | 3.4.0 to 3.4.9 | 3.4.10 | CVE-2017-15535 | SERVER-31273 |
August 28, 2017 | mongod | When using the WiredTiger storage engine, an admin command can be issued to write statistic logs to a specific file. | 3.0.0-3.0.14(with WiredTiger enabled), 3.2.0-3.2.8 | 3.0.14, 3.2.8 | CVE-2017-12926 | WT-2711 |
May 03, 2017 | mongo shell | The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files. | 2.0, 2.2, 2.4, 2.6, 2.8, 3.014 and earlier, 3.2.14 and earlier | 3.0.15, 3.2.14, 3.4 | CVE-2016-6494 | SERVER-25335 |
June 02, 2016 | mongod | Allows remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database. | 2.4, 2.6 (with 2.4-style users) | 2.6 | CVE-2016-3104 | SERVER-24378 |
December 01, 2015 | Security | Unauthorized access to a MongoDB instance or cluster when using LDAP authentication. | MongoDB Enterprise 3.0.0 to 3.0.6 | 3.0.7 | CVE-2015-7882 | SERVER-20691 |
March 27, 2015 | mongod | Remotely trigger a denial of service (crash) due to failure to check for missing value. | 3.0.0 | 3.0.1 | CVE-2015-2705 | SERVER-17521 |
March 25, 2015 | mongod | Remotely trigger a denial of service (crash) via a specially crafted regular expression. | 2.6.8 and earlier, 3.0.0 | 2.6.9 and 3.0.1 | CVE-2014-8964 | SERVER-17252 |
February 25, 2015 | mongod | A specially crafted, malformed BSON message may trigger an uncaught exception in the server, resulting in a loss of availability | 2.6.7 and earlier, 2.4.12 and earlier | 2.6.8 and 2.4.13 | CVE-2015-1609 | SERVER-17264 |
June 17, 2014 | mongod | Remotely trigger a crash when X.509 authentication is enabled | 2.6.0, 2.6.1 | 2.6.2 | CVE-2014-3971 | SERVER-13753 |
May 05, 2014 | mongod | Information disclosure of user credentials | 2.6.0 | 2.6.1 | CVE-2014-2917 | SERVER-13644 |
June 20, 2013 | Concurrency, Security | Improperly grant user system privileges on databases other than local. | 2.4.0 - 2.4.4, 2.5.0 | 2.4.5, 2.5.1 | CVE-2013-4650 | SERVER-9983 |
June 05, 2013 | JS Engine | Remotely triggered segmentation fault in Javascript engine. | 2.4.0 - 2.4.4 | 2.4.5, 2.5.1 | CVE-2013-3969 | SERVER-9878 |
February 02, 2013 | mongo Shell | It is possible to create documents that collide with JavaScript functions when fetched using the mongo shell. | 2.2.3, 2.4.1, and earlier | 3.2.4, 3.3.2 | n/a | SERVER-9131 |
Make sure to subscribe to the MongoDB Announcements Mailing List for important announcements.