CVE Daily
← All tags

Tag: MongoDB Server

All CVEs associated with "MongoDB Server". Page 2/2 • 227 CVEs.

Subscribe CVEs: RSS for “MongoDB Server”  ·  RSS (High+Critical only)

About “MongoDB Server”

A curated feed of “MongoDB Server”-related CVEs appears below. We currently track 227 CVEs for this tag (all time). In the last 365 days, 81 were published. Average CVSS is 6.7 (all time; 6.8 over 365d), and 43% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-943 - Improper Neutralization of Special Elements in Data Query Logic, CWE-20 - Improper Input Validation, CWE-416 - Use After Free.

In our taxonomy this topic maps to a MODERATE impact class. Databases, proxies, and web servers often need coordinated restarts and config checks. Patch only modules you deploy, verify TLS and authentication, and tune limits. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2023-09-27
High

CVE-2023-43651

JumpServer is an open source bastion host. An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability ma…

CVSS: 8.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2023-08-29
Medium

CVE-2021-32050

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data…

CVSS: 4.2 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-08-23
Medium

CVE-2023-1409

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is…

CVSS: 5.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-08-08
High

CVE-2023-4009

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privilege…

CVSS: 7.2 CWE: CWE-648 - Incorrect Use of Privileged APIs View on NVD
2023-07-01
Critical

CVE-2023-31997

UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Applicable Cloud Keys that are both (1) running UniFi OS 3.1 and (…

CVSS: 9.0 CWE: CWE-863 - Incorrect Authorization View on NVD
2023-06-28
Critical

CVE-2023-36475

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a…

CVSS: 9.8 CWE: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') View on NVD
2023-06-09
Low

CVE-2023-0342

MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prio…

CVSS: 3.1 CWE: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere View on NVD
2023-04-11
Critical

CVE-2022-41331

A missing authentication for critical function vulnerability [CWE-306] in FortiPresence infrastructure server before version 1.2.1 allows a remote, unauthenticated attacker to access the Redis and Mo…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2023-02-21
Medium

CVE-2022-48282

Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is…

CVSS: 6.6 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2022-11-10
Critical

CVE-2022-39396

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code…

CVSS: 9.8 CWE: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') View on NVD
2022-10-19
High

CVE-2022-39267

Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD
2022-09-23
Medium

CVE-2022-32229

A information disclosure vulnerability exists in Rockert.Chat <v5 due to /api/v1/chat.getThreadsList lack of sanitization of user inputs and can therefore leak private thread messages to unauthorized…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2022-32228

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 since the getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB q…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2022-32226

An improper access control vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to input data in the getUsersOfRoom Meteor server method is not type validated, so that MongoDB query opera…

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2022-32218

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries.

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-09-02
High

CVE-2022-36076

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO pro…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2022-08-31
Critical

CVE-2022-36045

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. `utils.generate…

CVSS: 9.0 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
2022-08-22
Medium

CVE-2022-34776

Tabit - giftcard stealth. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alcohol consumption…

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2022-34775

Tabit - Excessive data exposure. Another endpoint mapped by the tiny url, was one for reservation cancellation, containing the MongoDB ID of the reservation, and organization. This can be used to que…

CVSS: 6.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2022-34770

Tabit - sensitive information disclosure. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alco…

CVSS: 4.6 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2022-07-11
Critical

CVE-2022-31551

The pleomax00/flask-mongo-skel repository through 2012-11-01 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.

CVSS: 9.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2022-06-23
Critical

CVE-2022-22980

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value b…

CVSS: 9.8 CWE: CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') View on NVD
2022-04-21
Medium

CVE-2022-24272

An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. Th…

CVSS: 6.5 CWE: CWE-617 - Reachable Assertion View on NVD
2022-04-12
Medium

CVE-2021-32040

It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If a…

CVSS: 6.5 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
2022-03-12
Critical

CVE-2022-24760

Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in th…

CVSS: 10.0 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2022-02-04
Medium

CVE-2021-32036

An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention.…

CVSS: 5.4 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2022-01-20
Medium

CVE-2021-32039

Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to…

CVSS: 5.5 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2021-12-15
Medium

CVE-2021-20330

An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2021-11-24
Medium

CVE-2021-32037

An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and sp…

CVSS: 6.5 CWE: CWE-617 - Reachable Assertion View on NVD
2021-09-02
High

CVE-2021-39187

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value…

CVSS: 7.5 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2021-08-02
Medium

CVE-2021-20332

Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logg…

CVSS: 4.2 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-07-23
Medium

CVE-2021-20333

Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.…

CVSS: 5.3 CWE: CWE-117 - Improper Output Neutralization for Logs View on NVD
2021-06-21
High

CVE-2021-21422

mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a…

CVSS: 8.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-06-10
Medium

CVE-2021-20329

Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject…

CVSS: 6.8 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
2021-05-17
Critical

CVE-2020-4669

IBM Planning Analytics Local 2.0 connects to a MongoDB server. MongoDB, a document-oriented database system, is listening on the remote port, and it is configured to allow connections without passwor…

CVSS: 9.1 CWE: CWE-862 - Missing Authorization View on NVD
2021-05-13
Medium

CVE-2021-20331

Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain s…

CVSS: 4.2 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-04-30
Medium

CVE-2021-20326

A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4.

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2021-04-13
Medium

CVE-2021-23372

All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.

CVSS: 4.4 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
2021-04-12
Medium

CVE-2020-7924

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in acc…

CVSS: 4.2 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-04-06
Medium

CVE-2021-20334

A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This i…

CVSS: 4.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2021-03-30
Critical

CVE-2020-24391

mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.

CVSS: 9.8 CWE: N/A View on NVD
2021-03-01
Medium

CVE-2018-25004

A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to…

CVSS: 4.9 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2020-7929

A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21…

CVSS: 6.5 CWE: CWE-185 - Incorrect Regular Expression View on NVD
2021-02-25
Medium

CVE-2021-20327

A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network pos…

CVSS: 6.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-02-11
Medium

CVE-2021-20335

For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions p…

CVSS: 6.7 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2020-12-23
High

CVE-2020-35666

Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoD…

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2020-11-24
High

CVE-2019-20925

An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects Mo…

CVSS: 7.5 CWE: CWE-839 - Numeric Range Comparison Without Minimum Check View on NVD
2020-11-23
High

CVE-2020-7927

Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 version…

CVSS: 8.1 CWE: CWE-648 - Incorrect Use of Privileged APIs View on NVD
Medium

CVE-2018-20803

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue a…

CVSS: 6.5 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD
Medium

CVE-2020-7928

A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4…

CVSS: 6.5 CWE: CWE-158 - Improper Neutralization of Null Byte or NUL Character View on NVD
Medium

CVE-2019-2393

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions pri…

CVSS: 6.5 CWE: CWE-416 - Use After Free View on NVD
Medium

CVE-2019-2392

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB…

CVSS: 6.5 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
Medium

CVE-2019-20924

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Serve…

CVSS: 6.5 CWE: CWE-394 - Unexpected Status Code or Return Value View on NVD
Medium

CVE-2019-20923

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to…

CVSS: 6.5 CWE: CWE-749 - Exposed Dangerous Method or Function View on NVD
Medium

CVE-2018-20805

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch . This issue affects MongoDB Server v4.0 versions prior t…

CVSS: 6.5 CWE: CWE-834 - Excessive Iteration View on NVD
Medium

CVE-2018-20804

A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and Mong…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2018-20802

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 v…

CVSS: 6.5 CWE: CWE-394 - Unexpected Status Code or Return Value View on NVD
Medium

CVE-2020-7926

A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects MongoD…

CVSS: 6.5 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
High

CVE-2020-7925

Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service…

CVSS: 7.5 CWE: CWE-475 - Undefined Behavior for Input to API View on NVD
2020-11-09
Critical

CVE-2020-26542

An issue was discovered in the MongoDB Simple LDAP plugin through 2020-10-02 for Percona Server when using the SimpleLDAP authentication in conjunction with Microsoft’s Active Directory, Percona has…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2020-09-16
High

CVE-2020-2268

A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller.

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2020-2267

A missing permission check in Jenkins MongoDB Plugin 1.3 and earlier allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
2020-08-21
Medium

CVE-2020-7923

A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue aff…

CVSS: 6.5 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
2020-07-02
Medium

CVE-2020-2217

Jenkins Compatibility Action Storage Plugin 1.0 and earlier does not escape the content coming from the MongoDB in the testConnection form validation endpoint, resulting in a reflected cross-site scr…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-05-13
Medium

CVE-2019-2388

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc.…

CVSS: 5.8 CWE: CWE-425 - Direct Request ('Forced Browsing') View on NVD
2020-05-06
Medium

CVE-2020-7921

Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanis…

CVSS: 4.6 CWE: CWE-182 - Collapse of Data into Unsafe Value View on NVD
2020-04-09
Medium

CVE-2020-7922

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X…

CVSS: 6.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-04-02
Medium

CVE-2020-11499

Firmware Analysis and Comparison Tool (FACT) 3 has Stored XSS when updating analysis details via a localhost web request, as demonstrated by mishandling of the tags and version fields in helperFuncti…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-03-31
Medium

CVE-2019-2391

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB In…

CVSS: 4.2 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2020-02-20
High

CVE-2015-4411

The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remote attackers to cause a denial of service (worker resource consumption) via a crafted stri…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2020-02-12
Critical

CVE-2014-0234

The default configuration of broker.conf in Red Hat OpenShift Enterprise 2.x before 2.1 has a password of "mooo" for a Mongo account, which allows remote attackers to hijack the broker by providing t…

CVSS: 9.8 CWE: CWE-1188 - Initialization of a Resource with an Insecure Default View on NVD
2020-01-15
High

CVE-2020-1929

The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables t…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-12-24
Critical

CVE-2019-10758

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

CVSS: 9.9 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2019-11-04
High

CVE-2013-4374

An insecurity temporary file vulnerability exists in RHQ Mongo DB Drift Server through 2013-09-25 when unpacking zipped files.

CVSS: 7.1 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2019-11-01
High

CVE-2013-0165

cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin/dump.sh in OpenShift does not properly create files in /tmp.

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
2019-10-10
Critical

CVE-2019-17426

Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a"…

CVSS: 9.1 CWE: N/A View on NVD
2019-08-30
High

CVE-2019-2390

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined co…

CVSS: 8.2 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2019-2389

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the Mo…

CVSS: 5.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2019-08-06
High

CVE-2019-2386

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts r…

CVSS: 7.1 CWE: CWE-285 - Improper Authorization View on NVD
2019-07-30
High

CVE-2017-18381

The installation process in Open edX before 2017-01-10 exposes a MongoDB instance to external connections with default credentials.

CVSS: 7.2 CWE: N/A View on NVD
2019-07-19
High

CVE-2015-7882

Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access.

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
2019-07-01
Medium

CVE-2019-4383

When using IBM Spectrum Protect Plus 10.1.0, 10.1.2, and 10.1.3 to protect Oracle or MongoDB databases, a redirected restore operation may result in an escalation of user privileges. IBM X-Force ID:…

CVSS: 6.7 CWE: N/A View on NVD
Medium

CVE-2019-4357

When using IBM Spectrum Protect Plus 10.1.0, 10.1.2, and 10.1.3 to protect Oracle, DB2 or MongoDB databases, a redirected restore operation specifying a target path may allow execution of arbitrary c…

CVSS: 6.7 CWE: N/A View on NVD
2018-12-20
High

CVE-2018-1784

IBM API Connect 5.0.0.0 and 5.0.8.4 is affected by a NoSQL Injection in MongoDB connector for the LoopBack framework. IBM X-Force ID: 148807.

CVSS: 7.1 CWE: N/A View on NVD
2018-09-10
High

CVE-2018-16790

_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.

CVSS: 8.1 CWE: CWE-125 - Out-of-bounds Read View on NVD
2018-08-17
Critical

CVE-2018-3783

A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset.

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2018-07-10
High

CVE-2018-13863

The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is…

CVSS: 7.5 CWE: N/A View on NVD
2018-07-06
Medium

CVE-2017-2665

The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. An…

CVSS: 4.8 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2018-05-31
High

CVE-2016-10572

mongodb-instance before 0.0.3 installs mongodb locally. mongodb-instance downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code exec…

CVSS: 8.1 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2018-04-07
High

CVE-2018-9327

Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to execute arbitrary code on the server. The instance has to be configured to use a document database (DirtyDB, CouchDB, MongoDB, or RethinkDB…

CVSS: 8.1 CWE: CWE-20 - Improper Input Validation View on NVD
2018-03-14
Critical

CVE-2018-8097

io/mongo/parser.py in Eve (aka pyeve) before 0.7.5 allows remote attackers to execute arbitrary code via Code Injection in the where parameter.

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2017-11-01
Critical

CVE-2017-15535

MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enab…

CVSS: 9.1 CWE: N/A View on NVD
2017-09-09
High

CVE-2017-14227

In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based b…

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
2017-08-11
Medium

CVE-2015-3156

The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py, write_c…

CVSS: 5.5 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2017-06-06
Medium

CVE-2014-8180

MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service.

CVSS: 5.5 CWE: CWE-287 - Improper Authentication View on NVD
2017-04-14
High

CVE-2016-3104

mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representa…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2016-10-03
Medium

CVE-2016-6494

The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files.

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-06-07
High

CVE-2015-5723

Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB…

CVSS: 7.8 CWE: CWE-264 View on NVD
2015-03-30
Medium

CVE-2015-1609

MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request.

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2014-12-25
Medium

CVE-2014-3971

The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash)…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2014-03-06
Medium

CVE-2012-6619

The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON obj…

CVSS: 6.4 CWE: CWE-20 - Improper Input Validation View on NVD
2013-11-23
Low

CVE-2013-6384

(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to…

CVSS: 1.9 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2013-10-01
Medium

CVE-2013-3969

The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possi…

CVSS: 6.5 CWE: CWE-399 View on NVD
Medium

CVE-2013-1892

MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (inv…

CVSS: 6.0 CWE: CWE-20 - Improper Input Validation View on NVD
2013-08-15
Medium

CVE-2013-2132

bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) vi…

CVSS: 4.3 CWE: N/A View on NVD
2013-07-04
Medium

CVE-2013-4650

MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a username of __system in an arbitrary database.

CVSS: 6.5 CWE: CWE-264 View on NVD
2012-08-16
Medium

CVE-2012-4287

epan/dissectors/packet-mongo.c in the MongoDB dissector in Wireshark 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (loop and CPU consumption) via a small value for a BSON do…

CVSS: 5.0 CWE: CWE-399 View on NVD