RSS Feed
MongoDB Server (mongod) may crash in response to unexpected requests
An authenticated user may trigger an invariant assertion during command dispatch due to in...
MongoDB Server
5.0 affects 5.0.6 and prior versions
Large aggregation pipelines with a specific stage can crash mongod under default configuration
It may be possible to have an extremely long aggregation pipeline in conjunction with a sp...
MongoDB Server
5.0 affects versions prior to 5.0.4
4.4 affects versions prior to 4.4.11
4.2 affects versions prior to 4.2.16
Denial of Service and Data Integrity vulnerability in features command
An authenticated user without any specific authorizations may be able to repeatedly invoke...
MongoDB Server
5.0 affects 5.0.3 and prior versions
4.4 affects 4.4.9 and prior versions
4.2 affects 4.2.16 and prior versions
4.0 affects 4.0.28 and prior versions
MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text
Users with appropriate file access may be able to access unencrypted user credentials save...
MongoDB for VS Code
MongoDB for VS Code affects 0.7.0 and prior versions
Specific replication command with malformed oplog entries can crash secondaries
An attacker with basic CRUD permissions on a replicated collection can run the applyOps co...
MongoDB Server
4.0 affects versions prior to 4.0.27
4.2 affects versions prior to 4.2.16
4.4 affects versions prior to 4.4.9
User may trigger invariant when allowed to send commands directly to shards
An authorized user may trigger an invariant which may result in denial of service or serve...
MongoDB Server
5.0 affects 5.0.2 and prior versions
MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application
Specific MongoDB Rust Driver versions can include credentials used by the connection pool ...
MongoDB Rust Driver
1.0.0 affects 1.2.1 and prior versions
2.0.0-alpha
2.0.0-alpha1
Server log entry spoofing via newline injection
Sending specially crafted commands to a MongoDB Server may result in artificial log entrie...
MongoDB Server
3.6 affects versions prior to 3.6.20
4.0 affects versions prior to 4.0.21
4.2 affects versions prior to 4.2.10
Specific cstrings input may not be properly validated in the Go Driver
Specific cstrings input may not be properly validated in the MongoDB Go Driver when marsha...
MongoDB Go Driver
1.0 affects 1.5.0 and prior versions
MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application
Specific versions of the MongoDB C# Driver may erroneously publish events containing authe...
MongoDB C# Driver
2.12 affects 2.12.1 and prior versions
Specially crafted query may result in a denial of service of mongod
A user authorized to performing a specific type of find query may trigger a denial of serv...
MongoDB Server
4.4 affects versions prior to 4.4.4
Specific command line parameter might result in accepting invalid certificate
Usage of specific command line parameter in MongoDB Tools which was originally intended to...
MongoDB Database Tools
3.6 affects versions later than 3.6.5
3.6 affects versions prior to 3.6.21
4.0 affects versions prior to 4.0.21
4.2 affects versions prior to 4.2.11
100 affects versions prior to 100.2.0
Local privilege escalation in MongoDB Compass for Windows
A malicious 3rd party with local access to the Windows machine where MongoDB Compass is in...
MongoDB Compass
1.x affects 1.3.0 and later versions
1.x affects versions prior to 1.25.0
Specially crafted regex query can cause DoS
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.21
4.0 affects versions prior to 4.0.20
Invariant failure when explaining a find with a UUID
A user authorized to performing a specific type of query may trigger a denial of service b...
MongoDB Server
3.6 affects versions prior to 3.6.11
4.0 affects versions prior to 4.0.6
MongoDB Java driver client-side field level encryption not verifying KMS host name
Specific versions of the Java driver that support client-side field level encryption (CSFL...
mongo-java-driver
3.11 affects 3.11.2 and prior versions
3.12 affects 3.12.7 and prior versions
MongoDB Node.js client side field level encryption library may not be validating KMS certificate
A specific version of the Node.js mongodb-client-encryption module does not perform correc...
mongodb-client-encryption module
1.2.0
SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager
For MongoDB Ops Manager <= 4.2.24 with multiple OM application servers, that have SSL turn...
Ops Manager
4.2 affects 4.2.24 and prior versions
Invariant in IndexBoundsBuilder
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
4.2 affects versions prior to 4.2.2
Denial of Service when processing malformed Role names
Incorrect validation of user input in the role name parser may lead to use of uninitialize...
MongoDB Server
4.2 affects versions prior to 4.2.9
4.4 affects versions prior to 4.4.0-rc12
Specific query can cause a DoS against MongoDB Server
A user authorized to perform database queries may cause denial of service by issuing a spe...
MongoDB Server
4.4 affects versions prior to 4.4.1
Potential privilege escalation in Ops Manager API
Specially crafted API calls may allow an authenticated user who holds Organization Owner p...
MongoDB Ops Manager
4.2 affects 4.2.17 and prior versions
4.3 affects 4.3.9 and prior versions
4.4 affects 4.4.2 and prior versions
$mod can result in UB
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.20
4.0 affects versions prior to 4.0.20
4.2 affects versions prior to 4.2.9
4.4 affects versions prior to 4.4.1
Crash while joining collections with $lookup
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.15
4.0 affects versions prior to 4.0.13
4.2 affects versions prior to 4.2.1
Crash while handling internal Javascript exception types
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
4.0 affects versions prior to 4.0.7
Post-auth queries on compound index may crash mongod
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.9
4.0 affects versions prior to 4.0.3
Invariant failure in applyOps
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.13
4.0 affects versions prior to 4.0.10
Invariant with $elemMatch
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.10
4.0 affects versions prior to 4.0.5
Denial of service via malformed network packet
An unauthenticated client can trigger denial of service by issuing specially crafted wire ...
MongoDB Server
4.2 affects versions prior to 4.2.1
4.0 affects versions prior to 4.0.13
3.6 affects versions prior to 3.6.15
3.4 affects versions prior to 3.4.24
Improper neutralization of null byte leads to read overrun
A user authorized to perform database queries may trigger a read overrun and access arbitr...
MongoDB Server
4.4 affects versions prior to 4.4.1
4.2 affects versions prior to 4.2.9
4.0 affects versions prior to 4.0.20
3.6 affects versions prior to 3.6.20
Infinite loop in aggregation expression
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
4.0 affects versions prior to 4.0.5
3.6 affects versions prior to 3.6.10
3.4 affects versions prior to 3.4.19
Specific GeoQuery can cause DoS against MongoDB Server
A user authorized to perform database queries may cause denial of service by issuing speci...
MongoDB Server
4.4 affects versions prior to 4.4.0-rc7
4.2 affects versions prior to 4.2.8
4.0 affects versions prior to 4.0.19
Potential exposure of log information in Ops Manager
In affected Ops Manager versions there is an exposed http route was that may allow attacke...
Ops Manager
4.0.9
4.0.10
4.1.5
Administrative action may disable enforcement of per-user IP whitelisting
Improper serialization of internal state in the authorization subsystem in MongoDB Server'...
MongoDB Server
4.2 affects versions prior to 4.2.3
4.0 affects versions prior to 4.0.15
3.6 affects versions prior to 3.6.18
4.3 affects versions prior to 4.3.3
Kubernetes Operator generates potentially insecure certificates
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an at...
MongoDB Enterprise Kubernetes Operator
1.0
1.1
1.2 affects 1.2.4 and prior versions
1.3 affects 1.3.1 and prior versions
1.4 affects 1.4.4 and prior versions
JS-bson may incorrectly serialise some requests
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BS...
js-bson
1.0 affects 1.1.3 and prior versions
Code execution on Windows via OpenSSL engine injection
An unprivileged user or program on Microsoft Windows which can create OpenSSL configuratio...
MongoDB Server
4.0 affects versions prior to 4.0.11
3.6 affects versions prior to 3.6.14
3.4 affects versions prior to 3.4.22
Process termination via PID file manipulation
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow ...
MongoDB Server
4.0 affects versions prior to 4.0.11
3.6 affects versions prior to 3.6.14
3.4 affects versions prior to 3.4.22
Authorization session conflation
After user deletion in MongoDB Server the improper invalidation of authorization sessions ...
MongoDB Server
4.0 affects versions prior to 4.0.9
3.6 affects versions prior to 3.6.13
3.4 affects versions prior to 3.4.22