Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server
An authorized user may trigger crashes or receive the contents of buffer over-reads of Ser...
MongoDB Server
5.0 affects versions prior to 5.0.30
6.0 affects versions prior to 6.0.19
7.0 affects versions prior to 7.0.15
8.0 affects versions prior to 8.0.3
CSFLE and Queryable Encryption self-lookup may fail to encrypt values in subpipelines
A bug in query analysis of certain complex self-referential $lookup subpipelines may resul...
mongocryptd
5.0 affects versions prior to 5.0.29
6.0 affects versions prior to 6.0.17
7.0 affects versions prior to 7.012
7.3 affects versions prior to 7.3.4
Mongo_crypt_v1.so
6.0 affects versions prior to 6.0.17
7.0 affects versions prior to 7.0.12
7.3 affects versions prior to 7.3.4
MongoDB Server secondaries may crash due to forced index constraints
prepareUnique index may cause secondaries to crash due to incorrect enforcement of index c...
MongoDB Server
6.0 affects versions prior to 6.0.17
7.0 affects versions prior to 7.0.13
7.3 affects versions prior to 7.3.4
MongoDB Server may access non-initialized region of memory leading to unexpected behaviour
MongoDB Server may access non-initialized region of memory leading to unexpected behaviour...
MongoDB Server
6.0.3
MongoDB Server binaries may load potentially insecure shared libraries from specific relative paths
In certain highly specific configurations of the host system and MongoDB server binary ins...
MongoDB Server
6.0 affects versions prior to 6.0.3
5.0 affects versions prior to 5.0.14
Backup files may be downloaded by underprivileged users in MongoDB Enterprise Server
"Hot" backup files may be downloaded by underprivileged users, if they are capable of acqu...
MongoDB Server
6.0 affects versions prior to 6.0.16
7.0 affects versions prior to 7.0.11
7.3 affects versions prior to 7.3.3
Accessing Untrusted Directory May Allow Local Privilege Escalation
Incorrect validation of files loaded from a local untrusted directory may allow local priv...
MongoDB Server
5.0 affects versions prior to 5.0.27
6.0 affects versions prior to 6.0.16
7.0 affects versions prior to 7.0.12
7.3 affects versions prior to 7.3.3
MongoDB C Driver
affects versions prior to 1.26.2
MongoDB PHP Driver
affects versions prior to 1.18.1
MongoDB C Driver bson_string_append may be vulnerable to a buffer overflow
The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow...
libbson
0 affects versions prior to 1.27.1
Adversarial unsanitized input may cause MongoDB Rust Driver to issue unintended commands.
Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing...
MongoDB Rust Driver
2.0 affects versions prior to 2.8.2
MongoDB C Driver bson_strfreev may be susceptible to integer overflow
The bson_strfreev function in the MongoDB C driver library may be susceptible to an intege...
libbson
affects versions prior to 1.26.2
ejson shell parser in MongoDB Compass maybe bypassed
MongoDB Compass may be susceptible to code injection due to insufficient sandbox protectio...
MongoDB Compass
affects versions prior to 1.42.2
Missing authorization check may lead to shard key refinement
A command for refining a collection shard key is missing an authorization check. This may ...
MongoDB Server
5.0 affects versions prior to 5.0.22
6.0 affects versions prior to 6.0.11
7.0 affects versions prior to 7.0.3
Out-of-bounds read in bson module of PyMongo
An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserializat...
PyMongo
affects 4.6.2 and prior versions
MongoDB Server (mongod) may crash when generating ftdc
An unauthenticated user can trigger a fatal assertion in the server while generating ftdc ...
MongoDB Server
5.0 affects 5.0.16 and prior versions
6.0 affects 6.0.5 and prior versions
MongoDB Server may have unexpected application behaviour due to invalid BSON
Improper validation of certain metadata input may result in the server not correctly seria...
MongoDB Server
5.0 affects versions prior to 5.0.25
6.0 affects versions prior to 6.0.14
7.0 affects versions prior to 7.0.6
Insufficient validation of external input in Compass may enable MITM attacks
MongoDB Compass may accept and use insufficiently validated input from an untrusted extern...
MongoDB Compass
affects 1.35.0 to 1.42.0
MongoDB Server may allow successful untrusted connection
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer c...
MongoDB Server
7.0 affects 7.0.5 and prior versions
6.0 affects 6.0.13 and prior versions
5.0 affects 5.0.24 and prior versions
4.4 affects 4.4.28 and prior versions
MongoDB client C Driver may infinitely loop when validating certain BSON input data
When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot b...
MongoDB C Driver
1.0.0 affects versions prior to 1.25.0
Secret logging may occur in debug mode of Atlas Operator
The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information...
MongoDB Atlas Kubernetes Operator
1.5.0 affects 1.7.0 and prior versions
Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application
Some MongoDB Drivers may erroneously publish events containing authentication-related data...
MongoDB C Driver
1.0.0 affects versions prior to 1.17.7
MongoDB C++ Driver
3.0.0 affects versions prior to 3.7.0
MongoDB PHP Driver
1.0.0 affects versions prior to 1.9.2
MongoDB Swift Driver
1.0.0 affects versions prior to 1.1.1
MongoDB Node.js Driver
3.6 affects versions prior to 3.6.10
4.0 affects versions prior to 4.17.0
5.0 affects versions prior to 5.8.0
Certificate validation issue in MongoDB Server running on Windows or macOS
If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific...
MongoDB Server
6.3 affects 6.3.2 and prior versions
5.0 affects 5.0.14 and prior versions
4.4 affects 4.4.23 and prior versions
Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager
In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an...
MongoDB Ops Manager
6.0 affects versions prior to 6.0.17
5.0 affects versions prior to 5.0.22
MongoDB Ops Manager may disclose sensitive information in Diagnostic Archive
MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app...
MongoDB Ops Manager
v5.0 affects versions prior to 5.0.21
v6.0 affects versions prior to 6.0.12
Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution
Under very specific circumstances (see Required configuration section below), a privileged...
MongoDB .NET/C# Driver
0 affects v2.18.0 and prior versions
MongoDB Server (mongod) may crash in response to unexpected requests
An authenticated user may trigger an invariant assertion during command dispatch due to in...
MongoDB Server
5.0 affects 5.0.6 and prior versions
Large aggregation pipelines with a specific stage can crash mongod under default configuration
It may be possible to have an extremely long aggregation pipeline in conjunction with a sp...
MongoDB Server
5.0 affects versions prior to 5.0.4
4.4 affects versions prior to 4.4.11
4.2 affects versions prior to 4.2.16
Denial of Service and Data Integrity vulnerability in features command
An authenticated user without any specific authorizations may be able to repeatedly invoke...
MongoDB Server
5.0 affects 5.0.3 and prior versions
4.4 affects 4.4.9 and prior versions
4.2 affects 4.2.16 and prior versions
4.0 affects 4.0.28 and prior versions
MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text
Users with appropriate file access may be able to access unencrypted user credentials save...
MongoDB for VS Code
MongoDB for VS Code affects 0.7.0 and prior versions
Specific replication command with malformed oplog entries can crash secondaries
An attacker with basic CRUD permissions on a replicated collection can run the applyOps co...
MongoDB Server
4.0 affects versions prior to 4.0.27
4.2 affects versions prior to 4.2.16
4.4 affects versions prior to 4.4.9
User may trigger invariant when allowed to send commands directly to shards
An authorized user may trigger an invariant which may result in denial of service or serve...
MongoDB Server
5.0 affects 5.0.2 and prior versions
MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application
Specific MongoDB Rust Driver versions can include credentials used by the connection pool ...
MongoDB Rust Driver
2.0.0-alpha
2.0.0-alpha1
1.0.0 affects 1.2.1 and prior versions
Server log entry spoofing via newline injection
Sending specially crafted commands to a MongoDB Server may result in artificial log entrie...
MongoDB Server
3.6 affects versions prior to 3.6.20
4.0 affects versions prior to 4.0.21
4.2 affects versions prior to 4.2.10
Specific cstrings input may not be properly validated in the Go Driver
Specific cstrings input may not be properly validated in the MongoDB Go Driver when marsha...
MongoDB Go Driver
1.0 affects 1.5.0 and prior versions
MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application
Specific versions of the MongoDB C# Driver may erroneously publish events containing authe...
MongoDB C# Driver
2.12 affects 2.12.1 and prior versions
Specially crafted query may result in a denial of service of mongod
A user authorized to performing a specific type of find query may trigger a denial of serv...
MongoDB Server
4.4 affects versions prior to 4.4.4
Specific command line parameter might result in accepting invalid certificate
Usage of specific command line parameter in MongoDB Tools which was originally intended to...
MongoDB Database Tools
3.6.5 affects versions prior to 3.6*
4.0 affects versions prior to 4.0.21
4.2 affects versions prior to 4.2.11
100 affects versions prior to 100.2.0
Local privilege escalation in MongoDB Compass for Windows
A malicious 3rd party with local access to the Windows machine where MongoDB Compass is in...
MongoDB Compass
1.3.0 affects versions prior to 1.x*
Specially crafted regex query can cause DoS
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.21
4.0 affects versions prior to 4.0.20
Invariant failure when explaining a find with a UUID
A user authorized to performing a specific type of query may trigger a denial of service b...
MongoDB Server
3.6 affects versions prior to 3.6.11
4.0 affects versions prior to 4.0.6
MongoDB Node.js client side field level encryption library may not be validating KMS certificate
A specific version of the Node.js mongodb-client-encryption module does not perform correc...
mongodb-client-encryption module
1.2.0
MongoDB Java driver client-side field level encryption not verifying KMS host name
Specific versions of the Java driver that support client-side field level encryption (CSFL...
mongo-java-driver
3.11 affects 3.11.2 and prior versions
3.12 affects 3.12.7 and prior versions
SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager
For MongoDB Ops Manager <= 4.2.24 with multiple OM application servers, that have SSL turn...
Ops Manager
4.2 affects 4.2.24 and prior versions
Invariant in IndexBoundsBuilder
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
4.2 affects versions prior to 4.2.2
Denial of Service when processing malformed Role names
Incorrect validation of user input in the role name parser may lead to use of uninitialize...
MongoDB Server
4.2 affects versions prior to 4.2.9
4.4 affects versions prior to 4.4.0-rc12
Specific query can cause a DoS against MongoDB Server
A user authorized to perform database queries may cause denial of service by issuing a spe...
MongoDB Server
4.4 affects versions prior to 4.4.1
Potential privilege escalation in Ops Manager API
Specially crafted API calls may allow an authenticated user who holds Organization Owner p...
MongoDB Ops Manager
4.2 affects 4.2.17 and prior versions
4.3 affects 4.3.9 and prior versions
4.4 affects 4.4.2 and prior versions
$mod can result in UB
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.20
4.0 affects versions prior to 4.0.20
4.2 affects versions prior to 4.2.9
4.4 affects versions prior to 4.4.1
Crash while joining collections with $lookup
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.15
4.0 affects versions prior to 4.0.13
4.2 affects versions prior to 4.2.1
Crash while handling internal Javascript exception types
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
4.0 affects versions prior to 4.0.7
Post-auth queries on compound index may crash mongod
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.9
4.0 affects versions prior to 4.0.3
Invariant failure in applyOps
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.13
4.0 affects versions prior to 4.0.10
Invariant with $elemMatch
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
3.6 affects versions prior to 3.6.10
4.0 affects versions prior to 4.0.5
Denial of service via malformed network packet
An unauthenticated client can trigger denial of service by issuing specially crafted wire ...
MongoDB Server
4.2 affects versions prior to 4.2.1
4.0 affects versions prior to 4.0.13
3.6 affects versions prior to 3.6.15
3.4 affects versions prior to 3.4.24
Improper neutralization of null byte leads to read overrun
A user authorized to perform database queries may trigger a read overrun and access arbitr...
MongoDB Server
4.4 affects versions prior to 4.4.1
4.2 affects versions prior to 4.2.9
4.0 affects versions prior to 4.0.20
3.6 affects versions prior to 3.6.20
Infinite loop in aggregation expression
A user authorized to perform database queries may trigger denial of service by issuing spe...
MongoDB Server
4.0 affects versions prior to 4.0.5
3.6 affects versions prior to 3.6.10
3.4 affects versions prior to 3.4.19
Specific GeoQuery can cause DoS against MongoDB Server
A user authorized to perform database queries may cause denial of service by issuing speci...
MongoDB Server
4.4 affects versions prior to 4.4.0-rc7
4.2 affects versions prior to 4.2.8
4.0 affects versions prior to 4.0.19
Potential exposure of log information in Ops Manager
In affected Ops Manager versions there is an exposed http route was that may allow attacke...
Ops Manager
4.0.9
4.0.10
4.1.5
Administrative action may disable enforcement of per-user IP whitelisting
Improper serialization of internal state in the authorization subsystem in MongoDB Server'...
MongoDB Server
4.2 affects versions prior to 4.2.3
4.0 affects versions prior to 4.0.15
3.6 affects versions prior to 3.6.18
4.3 affects versions prior to 4.3.3
Kubernetes Operator generates potentially insecure certificates
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an at...
MongoDB Enterprise Kubernetes Operator
1.0
1.1
1.2 affects 1.2.4 and prior versions
1.3 affects 1.3.1 and prior versions
1.4 affects 1.4.4 and prior versions
JS-bson may incorrectly serialise some requests
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BS...
js-bson
1.0 affects 1.1.3 and prior versions
Process termination via PID file manipulation
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow ...
MongoDB Server
4.0 affects versions prior to 4.0.11
3.6 affects versions prior to 3.6.14
3.4 affects versions prior to 3.4.22
Code execution on Windows via OpenSSL engine injection
An unprivileged user or program on Microsoft Windows which can create OpenSSL configuratio...
MongoDB Server
4.0 affects versions prior to 4.0.11
3.6 affects versions prior to 3.6.14
3.4 affects versions prior to 3.4.22
Authorization session conflation
After user deletion in MongoDB Server the improper invalidation of authorization sessions ...
MongoDB Server
4.0 affects versions prior to 4.0.9
3.6 affects versions prior to 3.6.13
3.4 affects versions prior to 3.4.22