Filtered by vendor Mongodb
Subscriptions
Total
92 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-0755 | 1 Mongodb | 2 Libbson, Mongodb | 2025-04-24 | 8.4 High |
| The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16 | ||||
| CVE-2016-3104 | 1 Mongodb | 1 Mongodb | 2025-04-20 | N/A |
| mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database. | ||||
| CVE-2017-15535 | 1 Mongodb | 1 Mongodb | 2025-04-20 | N/A |
| MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory. | ||||
| CVE-2017-14227 | 1 Mongodb | 1 Mongodb | 2025-04-20 | N/A |
| In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c. | ||||
| CVE-2014-8180 | 2 Mongodb, Redhat | 2 Mongodb, Satellite | 2025-04-20 | N/A |
| MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service. | ||||
| CVE-2015-1609 | 3 Fedoraproject, Mongodb, Redhat | 4 Fedora, Mongodb, Satellite and 1 more | 2025-04-12 | N/A |
| MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request. | ||||
| CVE-2014-3971 | 1 Mongodb | 1 Mongodb | 2025-04-12 | N/A |
| The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate. | ||||
| CVE-2012-6619 | 2 Mongodb, Redhat | 5 Mongodb, Enterprise Mrg, Openstack and 2 more | 2025-04-12 | N/A |
| The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read. | ||||
| CVE-2016-6494 | 2 Fedoraproject, Mongodb | 2 Fedora, Mongodb | 2025-04-12 | N/A |
| The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files. | ||||
| CVE-2013-2132 | 4 Canonical, Mongodb, Opensuse and 1 more | 4 Ubuntu Linux, Mongodb, Opensuse and 1 more | 2025-04-11 | N/A |
| bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an "invalid DBRef." | ||||
| CVE-2013-1892 | 2 Mongodb, Redhat | 2 Mongodb, Enterprise Mrg | 2025-04-11 | N/A |
| MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument. | ||||
| CVE-2013-4650 | 1 Mongodb | 1 Mongodb | 2025-04-11 | N/A |
| MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a username of __system in an arbitrary database. | ||||
| CVE-2013-3969 | 1 Mongodb | 1 Mongodb | 2025-04-11 | N/A |
| The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object. | ||||
| CVE-2025-1755 | 3 Microsoft, Mongodb, Redhat | 6 Windows, Compass, Enterprise Linux For Arm 64 and 3 more | 2025-04-09 | 7.5 High |
| MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\node_modules\. This issue affects MongoDB Compass prior to 1.42.1 | ||||
| CVE-2025-1756 | 2 Mongodb, Redhat | 13 Mongosh, Codeready Linux Builder Eus, Codeready Linux Builder For Arm64 Eus and 10 more | 2025-04-09 | 7.5 High |
| mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\node_modules\. This issue affects mongosh prior to 2.3.0 | ||||
| CVE-2025-3083 | 1 Mongodb | 1 Mongodb | 2025-04-01 | 7.5 High |
| Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0 versions prior to 7.0.16 | ||||
| CVE-2025-3082 | 1 Mongodb | 1 Mongodb | 2025-04-01 | 3.1 Low |
| A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3 versions prior to 7.3.4. | ||||
| CVE-2025-3084 | 1 Mongodb | 1 Mongodb | 2025-04-01 | 6.5 Medium |
| When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4 | ||||
| CVE-2025-3085 | 1 Mongodb | 1 Mongodb | 2025-04-01 | 8.1 High |
| A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-cluster authentication. This issue affects MongoDB Server v5.0 versions prior to 5.0.31, MongoDB Server v6.0 versions prior to 6.0.20, MongoDB Server v7.0 versions prior to 7.0.16 and MongoDB Server v8.0 versions prior to 8.0.4. Required Configuration : MongoDB Server must be running on Linux Operating Systems and CRL revocation status checking must be enabled | ||||
| CVE-2022-48282 | 1 Mongodb | 1 C\# Driver | 2025-03-11 | 6.6 Medium |
| Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0 Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND * Application must be running on a Windows host using the full .NET Framework, not .NET Core AND * Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND * Malicious attacker must have unrestricted insert access to target database to add a _t discriminator."Following configuration must be true for the vulnerability to be applicable | ||||