Share your story at MongoDB.live 2021
Invariant in IndexBoundsBuilder
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
4.2 affects versions prior to 4.2.2
Denial of Service when processing malformed Role names
Incorrect validation of user input in the role name parser may lead to use of uninitialize...
MongoDB Server
4.2 affects versions prior to 4.2.9
4.4 affects versions prior to 4.4.0-rc12
Specific query can cause a DoS against MongoDB Server
A user authorized to perform database queries may cause denial of service by issuing a spe...
MongoDB Server
4.4 affects versions prior to 4.4.1
Potential privilege escalation in Ops Manager API
Specially crafted API calls may allow an authenticated user who holds Organization Owner p...
MongoDB Ops Manager
4.2 affects 4.2.17 and prior versions
4.3 affects 4.3.9 and prior versions
4.4 affects 4.4.2 and prior versions
$mod can result in UB
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.20
4.0 affects versions prior to 4.0.20
4.2 affects versions prior to 4.2.9
4.4 affects versions prior to 4.4.1
Crash while joining collections with $lookup
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.15
4.0 affects versions prior to 4.0.13
4.2 affects versions prior to 4.2.1
Crash while handling internal Javascript exception types
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
4.0 affects versions prior to 4.0.7
Post-auth queries on compound index may crash mongod
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.9
4.0 affects versions prior to 4.0.3
Invariant failure in applyOps
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.13
4.0 affects versions prior to 4.0.10
Invariant with $elemMatch
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.10
4.0 affects versions prior to 4.0.5
Denial of service via malformed network packet
An unauthenticated client can trigger denial of service by issuing specially crafted wire ...
MongoDB Server
4.2 affects versions prior to 4.2.1
4.0 affects versions prior to 4.0.13
3.6 affects versions prior to 3.6.15
3.4 affects versions prior to 3.4.24
Improper neutralization of null byte leads to read overrun
A user authorized to perform database queries may trigger a read overrun and access arbitr...
MongoDB Server
4.5 affects versions prior to 4.5.1
4.4 affects versions prior to 4.4.1
4.2 affects versions prior to 4.2.9
4.0 affects versions prior to 4.0.20
3.6 affects versions prior to 3.6.20
Infinite loop in aggregation expression
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
4.0 affects versions prior to 4.0.5
3.6 affects versions prior to 3.6.10
3.4 affects versions prior to 3.4.19
Specific GeoQuery can cause DoS against MongoDB Server
A user authorized to perform database queries may cause denial of service by issuing speci...
MongoDB Server
4.5 affects versions prior to 4.5.1
4.4 affects versions prior to 4.4.0-rc7
4.2 affects versions prior to 4.2.8
4.0 affects versions prior to 4.0.19
Potential exposure of log information in Ops Manager
In affected Ops Manager versions there is an exposed http route was that may allow attacke...
Ops Manager
4.0.9
4.0.10
4.1.5
Administrative action may disable enforcement of per-user IP whitelisting
Improper serialization of internal state in the authorization subsystem in MongoDB Server'...
MongoDB Server
4.2 affects versions prior to 4.2.3
4.0 affects versions prior to 4.0.15
3.6 affects versions prior to 3.6.18
4.3 affects versions prior to 4.3.3
Kubernetes Operator generates potentially insecure certificates
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an at...
MongoDB Enterprise Kubernetes Operator
1.0
1.1
1.2 affects 1.2.4 and prior versions
1.3 affects 1.3.1 and prior versions
1.4 affects 1.4.4 and prior versions
JS-bson may incorrectly serialise some requests
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BS...
js-bson
1.0 affects 1.1.3 and prior versions
Code execution on Windows via OpenSSL engine injection
An unprivileged user or program on Microsoft Windows which can create OpenSSL configuratio...
MongoDB Server
4.0 prior to 4.0.11
3.6 prior to 3.6.14
3.4 prior to 3.4.22
Process termination via PID file manipulation
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow ...
MongoDB Server
4.0 prior to 4.0.11
3.6 prior to 3.6.14
3.4 prior to 3.4.22
Authorization session conflation
After user deletion in MongoDB Server the improper invalidation of authorization sessions ...
MongoDB Server
v4.0 versions prior to 4.0.9
v3.6 versions prior to 3.6.13
v3.4 versions prior to 3.4.22