www.mongodb.com
Open in
urlscan Pro
2600:9000:2490:bc00:7:7859:3840:93a1
Public Scan
URL:
https://www.mongodb.com/alerts
Submission: On December 19 via api from DE — Scanned from DE
Submission: On December 19 via api from DE — Scanned from DE
Form analysis
1 forms found in the DOMGET https://www.mongodb.com/search
<form role="search" method="GET" action="https://www.mongodb.com/search" class="css-1c69emu">
<div class="css-87svlz">
<div class="css-36i4c2"><input type="text" placeholder="Search products, whitepapers, & more..." value="" class="css-etrcff"></div>
<div class="css-v2nqhr">
<div class="css-aef77t"><button role="button" type="button" class="css-14k7wrz"><span data-testid="selected-value" class="css-6k4l2y">General Information</span>
<div class="css-109dpaz"><svg data-testid="icon" width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" class="css-1yzkxhp">
<path d="M1.06689 0.799988L8.00023 7.73332L14.9336 0.799988" stroke-linecap="round" stroke-linejoin="round" class="css-1tlq8q9"></path>
</svg></div>
</button>
<div class="css-hn9qqo">
<ul data-testid="options" role="listbox" class="css-ac9zo2">
<li role="option" tabindex="0" class="css-11dtrvq">General Information</li>
<li role="option" tabindex="0" class="css-11dtrvq">All Documentation</li>
<li role="option" tabindex="0" class="css-11dtrvq">Realm Documentation</li>
<li role="option" tabindex="0" class="css-11dtrvq">Developer Articles & Topics</li>
<li role="option" tabindex="0" class="css-11dtrvq">Community Forums</li>
<li role="option" tabindex="0" class="css-11dtrvq">Blog</li>
<li role="option" tabindex="0" class="css-11dtrvq">University</li>
</ul>
</div>
</div><input type="hidden" id="addsearch" name="addsearch" value="">
<div class="css-1myrko"><button type="submit" tabindex="0" data-track="true" class=" css-13l1z36"><img alt="search icon" src="https://webimages.mongodb.com/_com_assets/cms/krc3hljsdwdfd2w5d-web-actions-search.svg?auto=format%252Ccompress"
class="css-r9fohf"></button></div>
</div>
</div>
</form>
Text Content
New {New} Announcing MongoDB Atlas Vector Search and Dedicated Search Nodes for genAI use cases General Information * General Information * All Documentation * Realm Documentation * Developer Articles & Topics * Community Forums * Blog * University * Products Platform AtlasBuild on a developer data platform Platform Services DatabaseDeploy a multi-cloud databaseSearchDeliver engaging search experiencesVector SearchDesign intelligent apps with GenAIStream Processing (Preview)Unify data in motion and data at rest Tools CompassWork with MongoDB data in a GUIIntegrationsIntegrations with third-party servicesRelational MigratorMigrate to MongoDB with confidence Self Managed Enterprise AdvancedRun and manage MongoDB yourselfCommunity EditionDevelop locally with MongoDB Build with MongoDB Atlas Get started for free in minutes Sign Up Test Enterprise Advanced Develop with MongoDB on-premises Download Try Community Edition Explore the latest version of MongoDB Download * Resources Documentation Atlas DocumentationGet started using AtlasServer DocumentationLearn to use MongoDBStart With GuidesGet step-by-step guidance for key tasks Tools and ConnectorsLearn how to connect to MongoDBMongoDB DriversUse drivers and libraries for MongoDB AI Resources HubGet help building the next big thing in AI with MongoDBarrow-right Connect Developer CenterExplore a wide range of developer resourcesCommunityJoin a global community of developersCourses and CertificationLearn for free from MongoDBWebinars and EventsFind a webinar or event near you * Solutions Use cases Artificial IntelligenceEdge ComputingInternet of ThingsMobilePaymentsServerless Development Industries Financial ServicesTelecommunicationsHealthcareRetailPublic SectorManufacturing Solutions LibraryOrganized and tailored solutions to kick-start projectsarrow-right Developer Data Platform Accelerate innovation at scale Learn morearrow-right Startups and AI Innovators For world-changing ideas and AI pioneers Learn morearrow-right Customer Case Studies Hear directly from our users See Storiesarrow-right * Company CareersStart your next adventureBlogRead articles and announcementsNewsroomRead press releases and news stories PartnersLearn about our partner ecosystemLeadershipMeet our executive teamCompanyLearn more about who we are Contact Us Reach out to MongoDB Let’s chatarrow-right Investors Visit our investor portal Learn morearrow-right * Pricing SupportSign In Try Free menu-vertical MONGODB ALERTS This page lists critical alerts and advisories for MongoDB. See the MongoDB JIRA for a comprehensive list of bugs and feature requests. RSS Feed General Data integrity related Operations Related Security Related GENERAL MONGODB SECURITY NOTICE 12/18/23 - 9:00 PM EST We continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system. Our investigation and work with the relevant authorities is ongoing. MongoDB will update this alert page with pertinent information as we further investigate the matter. At this time, as a result of our investigation in collaboration with outside experts, we have high confidence that we were victims of a phishing attack. Through our investigation, we have identified certain information that may be helpful to protect yourself against a potential attack by this unauthorized party: Indicators of Compromise (IOCs) The unauthorized party used the Mullvad VPN. Mullvad has many external IP addresses, and there are many VPNs that can be used to hide an IP address. In this case, we saw malicious activity coming from the following IP addresses: * 107.150.22.47 * 138.199.6.199 * 146.70.187.157 * 179.43.189.85 * 185.156.46.165 * 198.44.136.69 * 198.44.136.71 * 198.44.140.133 * 198.44.140.199 * 199.116.118.207 * 206.217.205.88 * 66.63.167.152 * 66.63.167.154 * 87.249.134.10 * 96.44.191.132 We recommend using the above information to search your networks for suspicious activity. We are committed to being as transparent in this process as we can and providing information so you can assess risk in your network. In regards to our previous guidance, here are instructions on how to enable phishing-resistant MFA on MongoDB’s native cloud authentication service. MongoDB Cloud also supports federating your identity from your IDP, please see here. We have fielded questions from some customers about the authenticity of the e-mail titled: MongoDB Security Notice that our Chief Information Security Officer, Lena Smart, sent over the weekend from mongodbteam@mail1.mongodb.com. We can confirm that this email is legitimate. 12/17/23 - 9:00 PM EST At this time, we have found no evidence of unauthorized access to MongoDB Atlas clusters. To be clear, we have not identified any security vulnerability in any MongoDB product as a result of this incident. It is important to note that MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems, and we have found no evidence that the Atlas cluster authentication system has been compromised. We are aware of unauthorized access to some corporate systems that contain customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer. We have notified the affected customer. At this time, we have found no evidence that any other customers’ system logs were accessed. We are continuing with our investigation, and are working with relevant authorities and forensic firms. MongoDB will update this alert page with additional information as we continue to investigate the matter. All updates > 12/18/23 - 9:00 PM EST We continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system. Our investigation and work with the relevant authorities is ongoing. MongoDB will update this alert page with pertinent information as we further investigate the matter. At this time, as a result of our investigation in collaboration with outside experts, we have high confidence that we were victims of a phishing attack. Through our investigation, we have identified certain information that may be helpful to protect yourself against a potential attack by this unauthorized party: Indicators of Compromise (IOCs) The unauthorized party used the Mullvad VPN. Mullvad has many external IP addresses, and there are many VPNs that can be used to hide an IP address. In this case, we saw malicious activity coming from the following IP addresses: * 107.150.22.47 * 138.199.6.199 * 146.70.187.157 * 179.43.189.85 * 185.156.46.165 * 198.44.136.69 * 198.44.136.71 * 198.44.140.133 * 198.44.140.199 * 199.116.118.207 * 206.217.205.88 * 66.63.167.152 * 66.63.167.154 * 87.249.134.10 * 96.44.191.132 We recommend using the above information to search your networks for suspicious activity. We are committed to being as transparent in this process as we can and providing information so you can assess risk in your network. In regards to our previous guidance, here are instructions on how to enable phishing-resistant MFA on MongoDB’s native cloud authentication service. MongoDB Cloud also supports federating your identity from your IDP, please see here. We have fielded questions from some customers about the authenticity of the e-mail titled: MongoDB Security Notice that our Chief Information Security Officer, Lena Smart, sent over the weekend from mongodbteam@mail1.mongodb.com. We can confirm that this email is legitimate. 12/17/23 - 9:00 PM EST At this time, we have found no evidence of unauthorized access to MongoDB Atlas clusters. To be clear, we have not identified any security vulnerability in any MongoDB product as a result of this incident. It is important to note that MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems, and we have found no evidence that the Atlas cluster authentication system has been compromised. We are aware of unauthorized access to some corporate systems that contain customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer. We have notified the affected customer. At this time, we have found no evidence that any other customers’ system logs were accessed. We are continuing with our investigation, and are working with relevant authorities and forensic firms. MongoDB will update this alert page with additional information as we continue to investigate the matter. 12/16/2023 - 05:25 PM EST We are experiencing a spike in login attempts resulting in issues for customers attempting to log in to Atlas and our Support Portal. This is unrelated to the security incident. Please try again in a few minutes if you are still having trouble logging in. [The issue involving user login attempts has been resolved as of 10:22 PM EST] 12/16/2023 - 03:00 PM EST MongoDB is actively investigating a security incident involving unauthorized access to certain MongoDB corporate systems, which includes exposure of customer account metadata and contact information. We detected suspicious activity on Wednesday (Dec. 13th, 2023) evening US Eastern Standard Time, immediately activated our incident response process, and believe that this unauthorized access has been going on for some period of time before discovery. At this time, we are not aware of any exposure to the data that customers store in MongoDB Atlas. Nevertheless, we recommend that customers be vigilant for social engineering and phishing attacks, activate phishing-resistant multi-factor authentication (MFA), and regularly rotate their MongoDB Atlas passwords. MongoDB will update this alert page with additional information as we continue to investigate the matter. DATA INTEGRITY RELATED 11/29/2023 An issue affecting inserts to Sharded Time Series collections can result in inserted documents on these collections to be immediately orphaned, leading to documents not being returned by queries and potential data loss. Affects: MongoDB Server versions: 5.0.6 - 5.0.21 6.0.0 - 6.0.11 7.0.0 - 7.0.2 Reference Link → 11/10/2023 A race condition in mongosync 1.5 can lead to some writes on the source not being replicated to the destination. Upgrade to version 1.6 or later. Affects: Cluster-to-Cluster Sync (mongosync) versions: 1.5.0 Reference Link → 05/23/2023 A storage engine issue can cause inconsistent incremental Ops Manager and Cloud Manager backups. Clusters restored from affected incremental backups can crash with checksum errors. Atlas customers/backups are not affected. Affects: Ops Manager and Cloud Manager versions: 4.4.8 - 4.4.21 5.0.2 - 5.0.17 6.0.0 - 6.0.5 Reference Link → 03/14/2023 A storage engine bug in MongoDB running on ARM64 or POWER architectures may store documents or index entries out of order, leading to inconsistencies and improperly sorted or incomplete query results. Affects: MongoDB Server versions: 4.2.0 - 4.2.23 4.4.0 - 4.4.18 5.0.0 - 5.0.14 6.0.0 - 6.0.4 6.1.0 - 6.2.0 Reference Link → 09/19/2022 A MongoDB agent issue in Atlas, Ops Manager, and Cloud Manager can cause automated "rolling index builds" to introduce index inconsistencies. MongoDB clusters on other platforms are not affected. Affects: Atlas, Ops Manager, and Cloud Manager versions: MongoDB versions 4.2.19+, 4.4.13+, 5.0.6+, 5.1-5.3, and 6.0.0+ running on: - Atlas - a fix has been released on Atlas, but clusters may have been impacted in the past. - Ops Manager versions 5.0.10-5.0.14 and 6.0.0-6.0.2 - Cloud Manager running MongoDB Agent version from 11.13.0.7438-1 to 12.4.0.7702-1 Reference Link → 08/11/2022 A behavior change for improperly configured time-to-live (TTL) indexes can suddenly expire documents when upgrading to MongoDB 5.0 or 6.0 from version 4.4 or earlier. Affects: MongoDB Server versions: 5.0.X 6.0.X Reference Link → 08/10/2022 A sharding metadata bug in MongoDB versions 5.0.0-5.0.10 and 6.0.0 can introduce corruption during a movePrimary command. Affects: MongoDB Server versions: 5.0.0 - 5.0.10 6.0.0 Reference Link → 11/12/2021 A storage engine bug in MongoDB 4.4.3 and 4.4.4 can introduce corruption when upgrading to 4.4.8-4.4.10 or 5.0.2-5.0.5. It is safe to upgrade from versions 4.4.3 and 4.4.4 directly to 4.4.11+ or 5.0.6+ Affects: MongoDB Server versions: 4.4.3 4.4.4 Reference Link → 09/22/2021 A storage engine bug in MongoDB 4.4.2-4.4.8, and 5.0.0-5.0.2 can cause inconsistent data after an unclean shutdown and restart. Upgrade to version 4.4.9 or 5.0.3. Affects: MongoDB Server versions: 4.4.2-4.4.8 5.0.0-5.0.2 Reference Link → 09/22/2021 A storage engine bug in MongoDB 4.4.8 can cause inconsistent data after an unclean shutdown and restart. Upgrade to version 4.4.9. Affects: MongoDB Server versions: 4.4.8 Reference Link → 08/06/2021 A storage engine bug in MongoDB 4.4.7, 5.0.0, and 5.0.1 allows some inserts to violate unique index constraints. Upgrade to version 4.4.8 or 5.0.2. Affects: MongoDB Server versions: 4.4.7 5.0.0 5.0.1 Reference Link → 05/19/2021 A storage engine bug in MongoDB 4.4.5 causes crashes on startup and may cause temporary query correctness issues. Upgrade to version 4.4.6. Affects: MongoDB Server versions: 4.4.5 Reference Link → 10/12/2020 Possible Corruption of Backup Snapshots on certain MongoDB 4.2+ Products Affects: MongoDB Server versions: 4.2+ Reference Link → 06/16/2020 Possible buffer overflow may result cause in-memory corruption on MongoDB 4.2.7 with incremental backup enabled. Affects: MongoDB Server versions: 4.2.7 Reference Link → 01/09/2020 A memory management bug can cause lost documents and index inconsistencies on replica set secondaries that restart during index builds. Affects: MongoDB Server versions: 4.2.0 4.2.1 Reference Link → 01/07/2020 When MongoDB recovers from an unclean shutdown, it is possible for the recovery process to corrupt documents that have received size-changing updates. Affects: MongoDB Server versions: 3.6.14 3.6.15 Reference Link → 09/23/2019 A memory management bug can cause failed operations, process crashes, and in-memory corruption of data that may be persisted to disk. Affects: MongoDB Server versions: 4.2.0 Reference Link → 02/22/2018 We have identified a bug in MongoDB Compass where modification or deletion of a document through Compass may occur on a different document than expected under certain specific conditions. Affects: Compass versions: 1.3.x - 1.11.1 Reference Link → 05/03/2016 While a background index build is in progress, document updates modifying fields contained in the index specification may, under specific circumstances, cause mismatched index entries to appear. This has an impact on queries that use affected indexes. Affects: Indexing versions: 3.0 3.2 Reference Link → 03/30/2016 During chunk migrations, insert and update operations affecting data within a migrating chunk are not reflected to the recipient shard, resulting in data loss. Affects: Sharding versions: 3.0.9 3.0.10 Reference Link → 12/16/2015 In a replica set, if a secondary node is shut down cleanly while replicating writes, the node may mark certain replicated operations as successfully applied even though they have not. Affects: Replication versions: 3.2.0 Reference Link → 12/09/2015 A race condition in WiredTiger may prevent a write operation from becoming immediately visible to subsequent read operations, which may result in various problems, primarily impacting replication. Affects: WiredTiger versions: 3.0.0 - 3.0.7 Reference Link → 06/15/2015 Sharded clusters where the balancer is enabled (or there are manual chunk migrations), containing WiredTiger nodes that may become primary, may lose writes to a chunk being migrated if that chunk is under a heavy write load. Affects: Sharding versions: 3.0.0 - 3.0.3 Reference Link → 10/02/2014 MongoDB installations on certain 3.x Linux kernels running on VMWare and using virtual SCSI disks managed by LVM may see corruption in namespace (.ns) files. Affects: Storage versions: 2.4.11 2.6.4 Reference Link → 08/03/2014 An update to a text-indexed field may fail to update the text index. As a result, a text search may not match the field contents, yielding incorrect search results. Affects: Text Search versions: 2.4.0 - 2.4.10 2.6.0 Reference Link → 01/01/2014 Under very rare circumstances mongos may incorrectly report a write as successful. Affects: Sharding versions: 2.2.0 - 2.2.6 2.4.0 - 2.4.8 Reference Link → 10/21/2013 During a chunk migration in a sharded cluster, if one of the documents in the chunk has a size in the range of 16,776,185 and 16,777,216 bytes (inclusive), then some documents may be lost during the migration process Affects: Sharding versions: 2.2.0 - 2.2.5 2.4.0 - 2.4.4 Reference Link → 03/21/2013 Secondary indexes (i.e. all indexes other than _id) may be corrupted on an initial sync if write operations are performed on the sync source during the initial sync. Affects: Replication versions: 2.4.0 Reference Link → OPERATIONS RELATED 10/29/2013 Caching of dbhash results may result in stale values, potentially causing disagreement among sharded cluster config servers. Affects: MongoDB Server versions: 2.4.7 Reference Link → SECURITY RELATED 11/07/2023 CVE-2023-0436 4.5 SECRET LOGGING MAY OCCUR IN DEBUG MODE OF ATLAS OPERATOR The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information... View more... Affects: MongoDB Atlas Kubernetes Operator versions: 1.5.0 affects 1.7.0 and prior versions Reference Link → 08/29/2023 CVE-2021-32050 4.2 SOME MONGODB DRIVERS MAY PUBLISH EVENTS CONTAINING AUTHENTICATION-RELATED DATA TO A COMMAND LISTENER CONFIGURED BY AN APPLICATION Some MongoDB Drivers may erroneously publish events containing authentication-related data... View more... Affects: MongoDB C Driver versions: 1.0.0 affects versions prior to 1.17.7 Reference Link → 08/23/2023 CVE-2023-1409 5.3 CERTIFICATE VALIDATION ISSUE IN MONGODB SERVER RUNNING ON WINDOWS OR MACOS If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific... View more... Affects: MongoDB Server versions: 6.3 affects 6.3.2 and prior versions 5.0 affects 5.0.14 and prior versions 4.4 affects 4.4.23 and prior versions Reference Link → 08/08/2023 CVE-2023-4009 7.2 PRIVILEGE ESCALATION FOR PROJECT OWNER AND PROJECT USER ADMIN ROLES IN OPS MANAGER In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an... View more... Affects: MongoDB Ops Manager versions: 6.0 affects versions prior to 6.0.17 5.0 affects versions prior to 5.0.22 Reference Link → 06/09/2023 CVE-2023-0342 3.1 MONGODB OPS MANAGER MAY DISCLOSE SENSITIVE INFORMATION IN DIAGNOSTIC ARCHIVE MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app... View more... Affects: MongoDB Ops Manager versions: v5.0 affects versions prior to 5.0.21 v6.0 affects versions prior to 6.0.12 Reference Link → 02/21/2023 CVE-2022-48282 6.6 DESERIALIZING COMPROMISED OBJECT WITH MONGODB .NET/C# DRIVER MAY CAUSE REMOTE CODE EXECUTION Under very specific circumstances (see Required configuration section below), a privileged... View more... Affects: MongoDB .NET/C# Driver versions: 0 affects v2.18.0 and prior versions Reference Link → 05/11/2022 CVE-2022-24272 6.5 MONGODB SERVER (MONGOD) MAY CRASH IN RESPONSE TO UNEXPECTED REQUESTS An authenticated user may trigger an invariant assertion during command dispatch due to in... View more... Affects: MongoDB Server versions: 5.0 affects 5.0.6 and prior versions Reference Link → 04/12/2022 CVE-2021-32040 6.5 LARGE AGGREGATION PIPELINES WITH A SPECIFIC STAGE CAN CRASH MONGOD UNDER DEFAULT CONFIGURATION It may be possible to have an extremely long aggregation pipeline in conjunction with a sp... View more... Affects: MongoDB Server versions: 5.0 affects versions prior to 5.0.4 4.4 affects versions prior to 4.4.11 4.2 affects versions prior to 4.2.16 Reference Link → 02/04/2022 CVE-2021-32036 5.4 DENIAL OF SERVICE AND DATA INTEGRITY VULNERABILITY IN FEATURES COMMAND An authenticated user without any specific authorizations may be able to repeatedly invoke... View more... Affects: MongoDB Server versions: 5.0 affects 5.0.3 and prior versions 4.4 affects 4.4.9 and prior versions 4.2 affects 4.2.16 and prior versions 4.0 affects 4.0.28 and prior versions Reference Link → 01/20/2022 CVE-2021-32039 5.5 MONGODB EXTENSION FOR VS CODE MAY UNEXPECTEDLY STORE CREDENTIALS LOCALLY IN CLEAR TEXT Users with appropriate file access may be able to access unencrypted user credentials save... View more... Affects: MongoDB for VS Code versions: MongoDB for VS Code affects 0.7.0 and prior versions Reference Link → 12/15/2021 CVE-2021-20330 6.5 SPECIFIC REPLICATION COMMAND WITH MALFORMED OPLOG ENTRIES CAN CRASH SECONDARIES An attacker with basic CRUD permissions on a replicated collection can run the applyOps co... View more... Affects: MongoDB Server versions: 4.0 affects versions prior to 4.0.27 4.2 affects versions prior to 4.2.16 4.4 affects versions prior to 4.4.9 Reference Link → 11/24/2021 CVE-2021-32037 6.5 USER MAY TRIGGER INVARIANT WHEN ALLOWED TO SEND COMMANDS DIRECTLY TO SHARDS An authorized user may trigger an invariant which may result in denial of service or serve... View more... Affects: MongoDB Server versions: 5.0 affects 5.0.2 and prior versions Reference Link → 08/02/2021 CVE-2021-20332 4.2 MONGODB RUST DRIVER MAY PUBLISH EVENTS CONTAINING AUTHENTICATION-RELATED DATA TO A CONNECTION POOL EVENT LISTENER CONFIGURED BY AN APPLICATION Specific MongoDB Rust Driver versions can include credentials used by the connection pool ... View more... Affects: MongoDB Rust Driver versions: 2.0.0-alpha 2.0.0-alpha1 1.0.0 affects 1.2.1 and prior versions Reference Link → 07/23/2021 CVE-2021-20333 5.3 SERVER LOG ENTRY SPOOFING VIA NEWLINE INJECTION Sending specially crafted commands to a MongoDB Server may result in artificial log entrie... View more... Affects: MongoDB Server versions: 3.6 affects versions prior to 3.6.20 4.0 affects versions prior to 4.0.21 4.2 affects versions prior to 4.2.10 Reference Link → 06/10/2021 CVE-2021-20329 6.8 SPECIFIC CSTRINGS INPUT MAY NOT BE PROPERLY VALIDATED IN THE GO DRIVER Specific cstrings input may not be properly validated in the MongoDB Go Driver when marsha... View more... Affects: MongoDB Go Driver versions: 1.0 affects 1.5.0 and prior versions Reference Link → 05/24/2021 CVE-2021-20331 4.2 MONGODB C# DRIVER MAY PUBLISH EVENTS CONTAINING AUTHENTICATION-RELATED DATA TO A COMMAND LISTENER CONFIGURED BY AN APPLICATION Specific versions of the MongoDB C# Driver may erroneously publish events containing authe... View more... Affects: MongoDB C# Driver versions: 2.12 affects 2.12.1 and prior versions Reference Link → 04/30/2021 CVE-2021-20326 6.5 SPECIALLY CRAFTED QUERY MAY RESULT IN A DENIAL OF SERVICE OF MONGOD A user authorized to performing a specific type of find query may trigger a denial of serv... View more... Affects: MongoDB Server versions: 4.4 affects versions prior to 4.4.4 Reference Link → 04/12/2021 CVE-2020-7924 4.2 SPECIFIC COMMAND LINE PARAMETER MIGHT RESULT IN ACCEPTING INVALID CERTIFICATE Usage of specific command line parameter in MongoDB Tools which was originally intended to... View more... Affects: MongoDB Database Tools versions: 3.6.5 affects versions prior to 3.6* 4.0 affects versions prior to 4.0.21 4.2 affects versions prior to 4.2.11 100 affects versions prior to 100.2.0 Reference Link → 04/06/2021 CVE-2021-20334 4.8 LOCAL PRIVILEGE ESCALATION IN MONGODB COMPASS FOR WINDOWS A malicious 3rd party with local access to the Windows machine where MongoDB Compass is in... View more... Affects: MongoDB Compass versions: 1.3.0 affects versions prior to 1.x* Reference Link → 02/26/2021 CVE-2020-7929 6.5 SPECIALLY CRAFTED REGEX QUERY CAN CAUSE DOS A user authorized to perform database queries may trigger denial of service by issuing spe... View more... Affects: MongoDB Server versions: 3.6 affects versions prior to 3.6.21 4.0 affects versions prior to 4.0.20 Reference Link → 02/26/2021 CVE-2018-25004 4.9 INVARIANT FAILURE WHEN EXPLAINING A FIND WITH A UUID A user authorized to performing a specific type of query may trigger a denial of service b... View more... Affects: MongoDB Server versions: 3.6 affects versions prior to 3.6.11 4.0 affects versions prior to 4.0.6 Reference Link → 02/25/2021 CVE-2021-20327 6.4 MONGODB NODE.JS CLIENT SIDE FIELD LEVEL ENCRYPTION LIBRARY MAY NOT BE VALIDATING KMS CERTIFICATE A specific version of the Node.js mongodb-client-encryption module does not perform correc... View more... Affects: mongodb-client-encryption module versions: 1.2.0 Reference Link → 02/25/2021 CVE-2021-20328 6.4 MONGODB JAVA DRIVER CLIENT-SIDE FIELD LEVEL ENCRYPTION NOT VERIFYING KMS HOST NAME Specific versions of the Java driver that support client-side field level encryption (CSFL... View more... Affects: mongo-java-driver versions: 3.11 affects 3.11.2 and prior versions 3.12 affects 3.12.7 and prior versions Reference Link → 02/11/2021 CVE-2021-20335 6.7 SSL MAY BE UNEXPECTEDLY DISABLED DURING UPGRADE OF MULTIPLE-SERVER MONGODB OPS MANAGER For MongoDB Ops Manager <= 4.2.24 with multiple OM application servers, that have SSL turn... View more... Affects: Ops Manager versions: 4.2 affects 4.2.24 and prior versions Reference Link → 12/01/2020 CVE-2019-20924 6.5 INVARIANT IN INDEXBOUNDSBUILDER A user authorized to perform database queries may trigger denial of service by issuing spe... View more... Affects: MongoDB Server versions: 4.2 affects versions prior to 4.2.2 Reference Link → 11/30/2020 CVE-2020-7925 7.5 DENIAL OF SERVICE WHEN PROCESSING MALFORMED ROLE NAMES Incorrect validation of user input in the role name parser may lead to use of uninitialize... View more... Affects: MongoDB Server versions: 4.2 affects versions prior to 4.2.9 4.4 affects versions prior to 4.4.0-rc12 Reference Link → 11/30/2020 CVE-2020-7926 6.5 SPECIFIC QUERY CAN CAUSE A DOS AGAINST MONGODB SERVER A user authorized to perform database queries may cause denial of service by issuing a spe... View more... Affects: MongoDB Server versions: 4.4 affects versions prior to 4.4.1 Reference Link → 11/30/2020 CVE-2020-7927 8.1 POTENTIAL PRIVILEGE ESCALATION IN OPS MANAGER API Specially crafted API calls may allow an authenticated user who holds Organization Owner p... View more... Affects: MongoDB Ops Manager versions: 4.2 affects 4.2.17 and prior versions 4.3 affects 4.3.9 and prior versions 4.4 affects 4.4.2 and prior versions Reference Link → 11/30/2020 CVE-2019-2392 6.5 $MOD CAN RESULT IN UB A user authorized to perform database queries may trigger denial of service by issuing spe... View more... Affects: MongoDB Server versions: 3.6 affects versions prior to 3.6.20 4.0 affects versions prior to 4.0.20 4.2 affects versions prior to 4.2.9 4.4 affects versions prior to 4.4.1 Reference Link → 11/30/2020 CVE-2019-2393 6.5 CRASH WHILE JOINING COLLECTIONS WITH $LOOKUP A user authorized to perform database queries may trigger denial of service by issuing spe... View more... Affects: MongoDB Server versions: 3.6 affects versions prior to 3.6.15 4.0 affects versions prior to 4.0.13 4.2 affects versions prior to 4.2.1 Reference Link → 11/30/2020 CVE-2019-20923 6.5 CRASH WHILE HANDLING INTERNAL JAVASCRIPT EXCEPTION TYPES A user authorized to perform database queries may trigger denial of service by issuing spe... View more... Affects: MongoDB Server versions: 4.0 affects versions prior to 4.0.7 Reference Link → 11/30/2020 CVE-2018-20802 6.5 POST-AUTH QUERIES ON COMPOUND INDEX MAY CRASH MONGOD A user authorized to perform database queries may trigger denial of service by issuing spe... View more... Affects: MongoDB Server versions: 3.6 affects versions prior to 3.6.9 4.0 affects versions prior to 4.0.3 Reference Link → 11/30/2020 CVE-2018-20804 6.5 INVARIANT FAILURE IN APPLYOPS A user authorized to perform database queries may trigger denial of service by issuing spe... View more... Affects: MongoDB Server versions: 3.6 affects versions prior to 3.6.13 4.0 affects versions prior to 4.0.10 Reference Link → 11/30/2020 CVE-2018-20805 6.5 INVARIANT WITH $ELEMMATCH A user authorized to perform database queries may trigger denial of service by issuing spe... View more... Affects: MongoDB Server versions: 3.6 affects versions prior to 3.6.10 4.0 affects versions prior to 4.0.5 Reference Link → 11/24/2020 CVE-2019-20925 7.5 DENIAL OF SERVICE VIA MALFORMED NETWORK PACKET An unauthenticated client can trigger denial of service by issuing specially crafted wire ... View more... Affects: MongoDB Server versions: 4.2 affects versions prior to 4.2.1 4.0 affects versions prior to 4.0.13 3.6 affects versions prior to 3.6.15 3.4 affects versions prior to 3.4.24 Reference Link → 11/23/2020 CVE-2020-7928 6.5 IMPROPER NEUTRALIZATION OF NULL BYTE LEADS TO READ OVERRUN A user authorized to perform database queries may trigger a read overrun and access arbitr... View more... Affects: MongoDB Server versions: 4.4 affects versions prior to 4.4.1 4.2 affects versions prior to 4.2.9 4.0 affects versions prior to 4.0.20 3.6 affects versions prior to 3.6.20 Reference Link → 11/23/2020 CVE-2018-20803 6.5 INFINITE LOOP IN AGGREGATION EXPRESSION A user authorized to perform database queries may trigger denial of service by issuing spe... View more... Affects: MongoDB Server versions: 4.0 affects versions prior to 4.0.5 3.6 affects versions prior to 3.6.10 3.4 affects versions prior to 3.4.19 Reference Link → 08/21/2020 CVE-2020-7923 6.5 SPECIFIC GEOQUERY CAN CAUSE DOS AGAINST MONGODB SERVER A user authorized to perform database queries may cause denial of service by issuing speci... View more... Affects: MongoDB Server versions: 4.4 affects versions prior to 4.4.0-rc7 4.2 affects versions prior to 4.2.8 4.0 affects versions prior to 4.0.19 Reference Link → 05/13/2020 CVE-2019-2388 5.8 POTENTIAL EXPOSURE OF LOG INFORMATION IN OPS MANAGER In affected Ops Manager versions there is an exposed http route was that may allow attacke... View more... Affects: Ops Manager versions: 4.0.9 4.0.10 4.1.5 Reference Link → 05/06/2020 CVE-2020-7921 4.6 ADMINISTRATIVE ACTION MAY DISABLE ENFORCEMENT OF PER-USER IP WHITELISTING Improper serialization of internal state in the authorization subsystem in MongoDB Server'... View more... Affects: MongoDB Server versions: 4.2 affects versions prior to 4.2.3 4.0 affects versions prior to 4.0.15 3.6 affects versions prior to 3.6.18 4.3 affects versions prior to 4.3.3 Reference Link → 04/09/2020 CVE-2020-7922 6.4 KUBERNETES OPERATOR GENERATES POTENTIALLY INSECURE CERTIFICATES X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an at... View more... Affects: MongoDB Enterprise Kubernetes Operator versions: 1.0 1.1 1.2 affects 1.2.4 and prior versions 1.3 affects 1.3.1 and prior versions 1.4 affects 1.4.4 and prior versions Reference Link → 03/31/2020 CVE-2019-2391 4.2 JS-BSON MAY INCORRECTLY SERIALISE SOME REQUESTS Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BS... View more... Affects: js-bson versions: 1.0 affects 1.1.3 and prior versions Reference Link → 08/30/2019 CVE-2019-2389 5.3 PROCESS TERMINATION VIA PID FILE MANIPULATION Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow ... View more... Affects: MongoDB Server versions: 4.0 affects versions prior to 4.0.11 3.6 affects versions prior to 3.6.14 3.4 affects versions prior to 3.4.22 Reference Link → 08/30/2019 CVE-2019-2390 8.2 CODE EXECUTION ON WINDOWS VIA OPENSSL ENGINE INJECTION An unprivileged user or program on Microsoft Windows which can create OpenSSL configuratio... View more... Affects: MongoDB Server versions: 4.0 affects versions prior to 4.0.11 3.6 affects versions prior to 3.6.14 3.4 affects versions prior to 3.4.22 Reference Link → 08/06/2019 CVE-2019-2386 7.1 AUTHORIZATION SESSION CONFLATION After user deletion in MongoDB Server the improper invalidation of authorization sessions ... View more... Affects: MongoDB Server versions: 4.0 affects versions prior to 4.0.9 3.6 affects versions prior to 3.6.13 3.4 affects versions prior to 3.4.22 Reference Link → English * English * Português * Español * 한국어 * 日本語 * Italiano * Deutsch * Français * 简体中文 © 2023 MongoDB, Inc. About * Careers * Investor Relations * Legal Notices * Privacy Notices * Security Information * Trust Center Support * Contact Us * Customer Portal * Atlas Status * Customer Support Social * GitHub * Stack Overflow * LinkedIn * YouTube * Twitter * Twitch * Facebook © 2023 MongoDB, Inc. PRIVACY PREFERENCE CENTER "Cookies" are small files that enable us to store information while you visit one of our websites. When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies, but essential cookies are always enabled. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. MongoDB Privacy Policy Allow All MANAGE CONSENT PREFERENCES STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. SOCIAL MEDIA COOKIES Social Media Cookies These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools. BACK BUTTON PERFORMANCE COOKIES Vendor Search Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Confirm My Choices By clicking "Accept All Cookies", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. You can enable and disable optional cookies as desired.Read our Privacy Policy Manage Cookies Accept All Cookies