www.mongodb.com Open in urlscan Pro
2600:9000:2490:bc00:7:7859:3840:93a1  Public Scan

URL: https://www.mongodb.com/alerts
Submission: On December 19 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

GET https://www.mongodb.com/search

<form role="search" method="GET" action="https://www.mongodb.com/search" class="css-1c69emu">
  <div class="css-87svlz">
    <div class="css-36i4c2"><input type="text" placeholder="Search products, whitepapers, &amp; more..." value="" class="css-etrcff"></div>
    <div class="css-v2nqhr">
      <div class="css-aef77t"><button role="button" type="button" class="css-14k7wrz"><span data-testid="selected-value" class="css-6k4l2y">General Information</span>
          <div class="css-109dpaz"><svg data-testid="icon" width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" class="css-1yzkxhp">
              <path d="M1.06689 0.799988L8.00023 7.73332L14.9336 0.799988" stroke-linecap="round" stroke-linejoin="round" class="css-1tlq8q9"></path>
            </svg></div>
        </button>
        <div class="css-hn9qqo">
          <ul data-testid="options" role="listbox" class="css-ac9zo2">
            <li role="option" tabindex="0" class="css-11dtrvq">General Information</li>
            <li role="option" tabindex="0" class="css-11dtrvq">All Documentation</li>
            <li role="option" tabindex="0" class="css-11dtrvq">Realm Documentation</li>
            <li role="option" tabindex="0" class="css-11dtrvq">Developer Articles &amp; Topics</li>
            <li role="option" tabindex="0" class="css-11dtrvq">Community Forums</li>
            <li role="option" tabindex="0" class="css-11dtrvq">Blog</li>
            <li role="option" tabindex="0" class="css-11dtrvq">University</li>
          </ul>
        </div>
      </div><input type="hidden" id="addsearch" name="addsearch" value="">
      <div class="css-1myrko"><button type="submit" tabindex="0" data-track="true" class=" css-13l1z36"><img alt="search icon" src="https://webimages.mongodb.com/_com_assets/cms/krc3hljsdwdfd2w5d-web-actions-search.svg?auto=format%252Ccompress"
            class="css-r9fohf"></button></div>
    </div>
  </div>
</form>

Text Content

New
{New}  Announcing MongoDB Atlas Vector Search and Dedicated Search Nodes for
genAI use cases
General Information

 * General Information
 * All Documentation
 * Realm Documentation
 * Developer Articles & Topics
 * Community Forums
 * Blog
 * University


 * Products
   Platform
   AtlasBuild on a developer data platform
   Platform Services
   DatabaseDeploy a multi-cloud databaseSearchDeliver engaging search
   experiencesVector SearchDesign intelligent apps with GenAIStream Processing
   (Preview)Unify data in motion and data at rest
   Tools
   CompassWork with MongoDB data in a GUIIntegrationsIntegrations with
   third-party servicesRelational MigratorMigrate to MongoDB with confidence
   Self Managed
   Enterprise AdvancedRun and manage MongoDB yourselfCommunity EditionDevelop
   locally with MongoDB
   Build with MongoDB Atlas
   Get started for free in minutes
   Sign Up
   Test Enterprise Advanced
   Develop with MongoDB on-premises
   Download
   Try Community Edition
   Explore the latest version of MongoDB
   Download
 * Resources
   Documentation
   Atlas DocumentationGet started using AtlasServer DocumentationLearn to use
   MongoDBStart With GuidesGet step-by-step guidance for key tasks
   
   Tools and ConnectorsLearn how to connect to MongoDBMongoDB DriversUse drivers
   and libraries for MongoDB
   AI Resources HubGet help building the next big thing in AI with
   MongoDBarrow-right
   Connect
   Developer CenterExplore a wide range of developer resourcesCommunityJoin a
   global community of developersCourses and CertificationLearn for free from
   MongoDBWebinars and EventsFind a webinar or event near you
 * Solutions
   Use cases
   Artificial IntelligenceEdge ComputingInternet of
   ThingsMobilePaymentsServerless Development
   Industries
   Financial ServicesTelecommunicationsHealthcareRetailPublic
   SectorManufacturing
   Solutions LibraryOrganized and tailored solutions to kick-start
   projectsarrow-right
   Developer Data Platform
   Accelerate innovation at scale
   Learn morearrow-right
   Startups and AI Innovators
   For world-changing ideas and AI pioneers
   Learn morearrow-right
   Customer Case Studies
   Hear directly from our users
   See Storiesarrow-right
 * Company
   CareersStart your next adventureBlogRead articles and
   announcementsNewsroomRead press releases and news stories
   PartnersLearn about our partner ecosystemLeadershipMeet our executive
   teamCompanyLearn more about who we are
   Contact Us
   Reach out to MongoDB
   Let’s chatarrow-right
   Investors
   Visit our investor portal
   Learn morearrow-right
 * Pricing

SupportSign In
Try Free
menu-vertical



MONGODB ALERTS

This page lists critical alerts and advisories for MongoDB. See the MongoDB JIRA
for a comprehensive list of bugs and feature requests.

RSS Feed



General

Data integrity related

Operations Related

Security Related



GENERAL

MONGODB SECURITY NOTICE



12/18/23 - 9:00 PM EST

We continue to find no evidence of unauthorized access to MongoDB Atlas clusters
or the Atlas cluster authentication system. Our investigation and work with the
relevant authorities is ongoing. MongoDB will update this alert page with
pertinent information as we further investigate the matter.

At this time, as a result of our investigation in collaboration with outside
experts, we have high confidence that we were victims of a phishing attack.
Through our investigation, we have identified certain information that may be
helpful to protect yourself against a potential attack by this unauthorized
party:

Indicators of Compromise (IOCs)

The unauthorized party used the Mullvad VPN. Mullvad has many external IP
addresses, and there are many VPNs that can be used to hide an IP address. In
this case, we saw malicious activity coming from the following IP addresses:

 * 107.150.22.47

 * 138.199.6.199

 * 146.70.187.157

 * 179.43.189.85

 * 185.156.46.165

 * 198.44.136.69

 * 198.44.136.71

 * 198.44.140.133

 * 198.44.140.199

 * 199.116.118.207

 * 206.217.205.88

 * 66.63.167.152

 * 66.63.167.154

 * 87.249.134.10

 * 96.44.191.132

We recommend using the above information to search your networks for suspicious
activity. We are committed to being as transparent in this process as we can and
providing information so you can assess risk in your network.



In regards to our previous guidance, here are instructions on how to enable
phishing-resistant MFA on MongoDB’s native cloud authentication service. MongoDB
Cloud also supports federating your identity from your IDP, please see here.

We have fielded questions from some customers about the authenticity of the
e-mail titled: MongoDB Security Notice that our Chief Information Security
Officer, Lena Smart, sent over the weekend from mongodbteam@mail1.mongodb.com.
We can confirm that this email is legitimate.

12/17/23 - 9:00 PM EST

At this time, we have found no evidence of unauthorized access to MongoDB Atlas
clusters. To be clear, we have not identified any security vulnerability in any
MongoDB product as a result of this incident. It is important to note that
MongoDB Atlas cluster access is authenticated via a separate system from MongoDB
corporate systems, and we have found no evidence that the Atlas cluster
authentication system has been compromised.

We are aware of unauthorized access to some corporate systems that contain
customer names, phone numbers, and email addresses among other customer account
metadata, including system logs for one customer. We have notified the affected
customer. At this time, we have found no evidence that any other customers’
system logs were accessed.

We are continuing with our investigation, and are working with relevant
authorities and forensic firms. MongoDB will update this alert page with
additional information as we continue to investigate the matter.

All updates >





12/18/23 - 9:00 PM EST

We continue to find no evidence of unauthorized access to MongoDB Atlas clusters
or the Atlas cluster authentication system. Our investigation and work with the
relevant authorities is ongoing. MongoDB will update this alert page with
pertinent information as we further investigate the matter.

At this time, as a result of our investigation in collaboration with outside
experts, we have high confidence that we were victims of a phishing attack.
Through our investigation, we have identified certain information that may be
helpful to protect yourself against a potential attack by this unauthorized
party:

Indicators of Compromise (IOCs)

The unauthorized party used the Mullvad VPN. Mullvad has many external IP
addresses, and there are many VPNs that can be used to hide an IP address. In
this case, we saw malicious activity coming from the following IP addresses:

 * 107.150.22.47

 * 138.199.6.199

 * 146.70.187.157

 * 179.43.189.85

 * 185.156.46.165

 * 198.44.136.69

 * 198.44.136.71

 * 198.44.140.133

 * 198.44.140.199

 * 199.116.118.207

 * 206.217.205.88

 * 66.63.167.152

 * 66.63.167.154

 * 87.249.134.10

 * 96.44.191.132

We recommend using the above information to search your networks for suspicious
activity. We are committed to being as transparent in this process as we can and
providing information so you can assess risk in your network.

In regards to our previous guidance, here are instructions on how to enable
phishing-resistant MFA on MongoDB’s native cloud authentication service. MongoDB
Cloud also supports federating your identity from your IDP, please see here.

We have fielded questions from some customers about the authenticity of the
e-mail titled: MongoDB Security Notice that our Chief Information Security
Officer, Lena Smart, sent over the weekend from mongodbteam@mail1.mongodb.com.
We can confirm that this email is legitimate.

12/17/23 - 9:00 PM EST

At this time, we have found no evidence of unauthorized access to MongoDB Atlas
clusters. To be clear, we have not identified any security vulnerability in any
MongoDB product as a result of this incident. It is important to note that
MongoDB Atlas cluster access is authenticated via a separate system from MongoDB
corporate systems, and we have found no evidence that the Atlas cluster
authentication system has been compromised.

We are aware of unauthorized access to some corporate systems that contain
customer names, phone numbers, and email addresses among other customer account
metadata, including system logs for one customer. We have notified the affected
customer. At this time, we have found no evidence that any other customers’
system logs were accessed.

We are continuing with our investigation, and are working with relevant
authorities and forensic firms. MongoDB will update this alert page with
additional information as we continue to investigate the matter.

12/16/2023 - 05:25 PM EST

We are experiencing a spike in login attempts resulting in issues for customers
attempting to log in to Atlas and our Support Portal. This is unrelated to the
security incident. Please try again in a few minutes if you are still having
trouble logging in. [The issue involving user login attempts has been resolved
as of 10:22 PM EST]

12/16/2023 - 03:00 PM EST

MongoDB is actively investigating a security incident involving unauthorized
access to certain MongoDB corporate systems, which includes exposure of customer
account metadata and contact information. We detected suspicious activity on
Wednesday (Dec. 13th, 2023) evening US Eastern Standard Time, immediately
activated our incident response process, and believe that this unauthorized
access has been going on for some period of time before discovery. At this time,
we are not aware of any exposure to the data that customers store in MongoDB
Atlas. Nevertheless, we recommend that customers be vigilant for social
engineering and phishing attacks, activate phishing-resistant multi-factor
authentication (MFA), and regularly rotate their MongoDB Atlas passwords.
MongoDB will update this alert page with additional information as we continue
to investigate the matter.




DATA INTEGRITY RELATED

11/29/2023

An issue affecting inserts to Sharded Time Series collections can result in
inserted documents on these collections to be immediately orphaned, leading to
documents not being returned by queries and potential data loss.

Affects:

MongoDB Server

versions:

5.0.6 - 5.0.21
6.0.0 - 6.0.11
7.0.0 - 7.0.2


Reference Link →
11/10/2023

A race condition in mongosync 1.5 can lead to some writes on the source not
being replicated to the destination. Upgrade to version 1.6 or later.

Affects:

Cluster-to-Cluster Sync (mongosync)

versions:

1.5.0


Reference Link →
05/23/2023

A storage engine issue can cause inconsistent incremental Ops Manager and Cloud
Manager backups. Clusters restored from affected incremental backups can crash
with checksum errors. Atlas customers/backups are not affected.

Affects:

Ops Manager and Cloud Manager

versions:

4.4.8 - 4.4.21
5.0.2 - 5.0.17
6.0.0 - 6.0.5


Reference Link →
03/14/2023

A storage engine bug in MongoDB running on ARM64 or POWER architectures may
store documents or index entries out of order, leading to inconsistencies and
improperly sorted or incomplete query results.

Affects:

MongoDB Server

versions:

4.2.0 - 4.2.23
4.4.0 - 4.4.18
5.0.0 - 5.0.14
6.0.0 - 6.0.4
6.1.0 - 6.2.0


Reference Link →
09/19/2022

A MongoDB agent issue in Atlas, Ops Manager, and Cloud Manager can cause
automated "rolling index builds" to introduce index inconsistencies. MongoDB
clusters on other platforms are not affected.

Affects:

Atlas, Ops Manager, and Cloud Manager

versions:

MongoDB versions 4.2.19+, 4.4.13+, 5.0.6+, 5.1-5.3, and 6.0.0+ running on:
- Atlas - a fix has been released on Atlas, but clusters may have been impacted
in the past.
- Ops Manager versions 5.0.10-5.0.14 and 6.0.0-6.0.2
- Cloud Manager running MongoDB Agent version from 11.13.0.7438-1 to
12.4.0.7702-1


Reference Link →
08/11/2022

A behavior change for improperly configured time-to-live (TTL) indexes can
suddenly expire documents when upgrading to MongoDB 5.0 or 6.0 from version 4.4
or earlier.

Affects:

MongoDB Server

versions:

5.0.X
6.0.X


Reference Link →
08/10/2022

A sharding metadata bug in MongoDB versions 5.0.0-5.0.10 and 6.0.0 can introduce
corruption during a movePrimary command.

Affects:

MongoDB Server

versions:

5.0.0 - 5.0.10
6.0.0


Reference Link →
11/12/2021

A storage engine bug in MongoDB 4.4.3 and 4.4.4 can introduce corruption when
upgrading to 4.4.8-4.4.10 or 5.0.2-5.0.5. It is safe to upgrade from versions
4.4.3 and 4.4.4 directly to 4.4.11+ or 5.0.6+

Affects:

MongoDB Server

versions:

4.4.3
4.4.4


Reference Link →
09/22/2021

A storage engine bug in MongoDB 4.4.2-4.4.8, and 5.0.0-5.0.2 can cause
inconsistent data after an unclean shutdown and restart. Upgrade to version
4.4.9 or 5.0.3.

Affects:

MongoDB Server

versions:

4.4.2-4.4.8
5.0.0-5.0.2


Reference Link →
09/22/2021

A storage engine bug in MongoDB 4.4.8 can cause inconsistent data after an
unclean shutdown and restart. Upgrade to version 4.4.9.

Affects:

MongoDB Server

versions:

4.4.8


Reference Link →
08/06/2021

A storage engine bug in MongoDB 4.4.7, 5.0.0, and 5.0.1 allows some inserts to
violate unique index constraints. Upgrade to version 4.4.8 or 5.0.2.

Affects:

MongoDB Server

versions:

4.4.7
5.0.0
5.0.1


Reference Link →
05/19/2021

A storage engine bug in MongoDB 4.4.5 causes crashes on startup and may cause
temporary query correctness issues. Upgrade to version 4.4.6.

Affects:

MongoDB Server

versions:

4.4.5


Reference Link →
10/12/2020

Possible Corruption of Backup Snapshots on certain MongoDB 4.2+ Products

Affects:

MongoDB Server

versions:

4.2+


Reference Link →
06/16/2020

Possible buffer overflow may result cause in-memory corruption on MongoDB 4.2.7
with incremental backup enabled.

Affects:

MongoDB Server

versions:

4.2.7


Reference Link →
01/09/2020

A memory management bug can cause lost documents and index inconsistencies on
replica set secondaries that restart during index builds.

Affects:

MongoDB Server

versions:

4.2.0
4.2.1


Reference Link →
01/07/2020

When MongoDB recovers from an unclean shutdown, it is possible for the recovery
process to corrupt documents that have received size-changing updates.

Affects:

MongoDB Server

versions:

3.6.14
3.6.15


Reference Link →
09/23/2019

A memory management bug can cause failed operations, process crashes, and
in-memory corruption of data that may be persisted to disk.

Affects:

MongoDB Server

versions:

4.2.0


Reference Link →
02/22/2018

We have identified a bug in MongoDB Compass where modification or deletion of a
document through Compass may occur on a different document than expected under
certain specific conditions.

Affects:

Compass

versions:

1.3.x - 1.11.1


Reference Link →
05/03/2016

While a background index build is in progress, document updates modifying fields
contained in the index specification may, under specific circumstances, cause
mismatched index entries to appear. This has an impact on queries that use
affected indexes.

Affects:

Indexing

versions:

3.0
3.2


Reference Link →
03/30/2016

During chunk migrations, insert and update operations affecting data within a
migrating chunk are not reflected to the recipient shard, resulting in data
loss.

Affects:

Sharding

versions:

3.0.9
3.0.10


Reference Link →
12/16/2015

In a replica set, if a secondary node is shut down cleanly while replicating
writes, the node may mark certain replicated operations as successfully applied
even though they have not.

Affects:

Replication

versions:

3.2.0


Reference Link →
12/09/2015

A race condition in WiredTiger may prevent a write operation from becoming
immediately visible to subsequent read operations, which may result in various
problems, primarily impacting replication.

Affects:

WiredTiger

versions:

3.0.0 - 3.0.7


Reference Link →
06/15/2015

Sharded clusters where the balancer is enabled (or there are manual chunk
migrations), containing WiredTiger nodes that may become primary, may lose
writes to a chunk being migrated if that chunk is under a heavy write load.

Affects:

Sharding

versions:

3.0.0 - 3.0.3


Reference Link →
10/02/2014

MongoDB installations on certain 3.x Linux kernels running on VMWare and using
virtual SCSI disks managed by LVM may see corruption in namespace (.ns) files.

Affects:

Storage

versions:

2.4.11
2.6.4


Reference Link →
08/03/2014

An update to a text-indexed field may fail to update the text index. As a
result, a text search may not match the field contents, yielding incorrect
search results.

Affects:

Text Search

versions:

2.4.0 - 2.4.10
2.6.0


Reference Link →
01/01/2014

Under very rare circumstances mongos may incorrectly report a write as
successful.

Affects:

Sharding

versions:

2.2.0 - 2.2.6
2.4.0 - 2.4.8


Reference Link →
10/21/2013

During a chunk migration in a sharded cluster, if one of the documents in the
chunk has a size in the range of 16,776,185 and 16,777,216 bytes (inclusive),
then some documents may be lost during the migration process

Affects:

Sharding

versions:

2.2.0 - 2.2.5
2.4.0 - 2.4.4


Reference Link →
03/21/2013

Secondary indexes (i.e. all indexes other than _id) may be corrupted on an
initial sync if write operations are performed on the sync source during the
initial sync.

Affects:

Replication

versions:

2.4.0


Reference Link →


OPERATIONS RELATED

10/29/2013

Caching of dbhash results may result in stale values, potentially causing
disagreement among sharded cluster config servers.

Affects:

MongoDB Server

versions:

2.4.7


Reference Link →


SECURITY RELATED

11/07/2023
CVE-2023-0436
4.5

SECRET LOGGING MAY OCCUR IN DEBUG MODE OF ATLAS OPERATOR

The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive
information...

View more...

Affects:

MongoDB Atlas Kubernetes Operator

versions:

1.5.0 affects 1.7.0 and prior versions


Reference Link →
08/29/2023
CVE-2021-32050
4.2

SOME MONGODB DRIVERS MAY PUBLISH EVENTS CONTAINING AUTHENTICATION-RELATED DATA
TO A COMMAND LISTENER CONFIGURED BY AN APPLICATION

Some MongoDB Drivers may erroneously publish events containing
authentication-related data...

View more...

Affects:

MongoDB C Driver

versions:

1.0.0 affects versions prior to 1.17.7


Reference Link →
08/23/2023
CVE-2023-1409
5.3

CERTIFICATE VALIDATION ISSUE IN MONGODB SERVER RUNNING ON WINDOWS OR MACOS

If the MongoDB Server running on Windows or macOS is configured to use TLS with
a specific...

View more...

Affects:

MongoDB Server

versions:

6.3 affects 6.3.2 and prior versions
5.0 affects 5.0.14 and prior versions
4.4 affects 4.4.23 and prior versions


Reference Link →
08/08/2023
CVE-2023-4009
7.2

PRIVILEGE ESCALATION FOR PROJECT OWNER AND PROJECT USER ADMIN ROLES IN OPS
MANAGER

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is
possible for an...

View more...

Affects:

MongoDB Ops Manager

versions:

6.0 affects versions prior to 6.0.17
5.0 affects versions prior to 5.0.22


Reference Link →
06/09/2023
CVE-2023-0342
3.1

MONGODB OPS MANAGER MAY DISCLOSE SENSITIVE INFORMATION IN DIAGNOSTIC ARCHIVE

MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file
password app...

View more...

Affects:

MongoDB Ops Manager

versions:

v5.0 affects versions prior to 5.0.21
v6.0 affects versions prior to 6.0.12


Reference Link →
02/21/2023
CVE-2022-48282
6.6

DESERIALIZING COMPROMISED OBJECT WITH MONGODB .NET/C# DRIVER MAY CAUSE REMOTE
CODE EXECUTION

Under very specific circumstances (see Required configuration section below), a
privileged...

View more...

Affects:

MongoDB .NET/C# Driver

versions:

0 affects v2.18.0 and prior versions


Reference Link →
05/11/2022
CVE-2022-24272
6.5

MONGODB SERVER (MONGOD) MAY CRASH IN RESPONSE TO UNEXPECTED REQUESTS

An authenticated user may trigger an invariant assertion during command dispatch
due to in...

View more...

Affects:

MongoDB Server

versions:

5.0 affects 5.0.6 and prior versions


Reference Link →
04/12/2022
CVE-2021-32040
6.5

LARGE AGGREGATION PIPELINES WITH A SPECIFIC STAGE CAN CRASH MONGOD UNDER DEFAULT
CONFIGURATION

It may be possible to have an extremely long aggregation pipeline in conjunction
with a sp...

View more...

Affects:

MongoDB Server

versions:

5.0 affects versions prior to 5.0.4
4.4 affects versions prior to 4.4.11
4.2 affects versions prior to 4.2.16


Reference Link →
02/04/2022
CVE-2021-32036
5.4

DENIAL OF SERVICE AND DATA INTEGRITY VULNERABILITY IN FEATURES COMMAND

An authenticated user without any specific authorizations may be able to
repeatedly invoke...

View more...

Affects:

MongoDB Server

versions:

5.0 affects 5.0.3 and prior versions
4.4 affects 4.4.9 and prior versions
4.2 affects 4.2.16 and prior versions
4.0 affects 4.0.28 and prior versions


Reference Link →
01/20/2022
CVE-2021-32039
5.5

MONGODB EXTENSION FOR VS CODE MAY UNEXPECTEDLY STORE CREDENTIALS LOCALLY IN
CLEAR TEXT

Users with appropriate file access may be able to access unencrypted user
credentials save...

View more...

Affects:

MongoDB for VS Code

versions:

MongoDB for VS Code affects 0.7.0 and prior versions


Reference Link →
12/15/2021
CVE-2021-20330
6.5

SPECIFIC REPLICATION COMMAND WITH MALFORMED OPLOG ENTRIES CAN CRASH SECONDARIES

An attacker with basic CRUD permissions on a replicated collection can run the
applyOps co...

View more...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.27
4.2 affects versions prior to 4.2.16
4.4 affects versions prior to 4.4.9


Reference Link →
11/24/2021
CVE-2021-32037
6.5

USER MAY TRIGGER INVARIANT WHEN ALLOWED TO SEND COMMANDS DIRECTLY TO SHARDS

An authorized user may trigger an invariant which may result in denial of
service or serve...

View more...

Affects:

MongoDB Server

versions:

5.0 affects 5.0.2 and prior versions


Reference Link →
08/02/2021
CVE-2021-20332
4.2

MONGODB RUST DRIVER MAY PUBLISH EVENTS CONTAINING AUTHENTICATION-RELATED DATA TO
A CONNECTION POOL EVENT LISTENER CONFIGURED BY AN APPLICATION

Specific MongoDB Rust Driver versions can include credentials used by the
connection pool ...

View more...

Affects:

MongoDB Rust Driver

versions:

2.0.0-alpha
2.0.0-alpha1
1.0.0 affects 1.2.1 and prior versions


Reference Link →
07/23/2021
CVE-2021-20333
5.3

SERVER LOG ENTRY SPOOFING VIA NEWLINE INJECTION

Sending specially crafted commands to a MongoDB Server may result in artificial
log entrie...

View more...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.20
4.0 affects versions prior to 4.0.21
4.2 affects versions prior to 4.2.10


Reference Link →
06/10/2021
CVE-2021-20329
6.8

SPECIFIC CSTRINGS INPUT MAY NOT BE PROPERLY VALIDATED IN THE GO DRIVER

Specific cstrings input may not be properly validated in the MongoDB Go Driver
when marsha...

View more...

Affects:

MongoDB Go Driver

versions:

1.0 affects 1.5.0 and prior versions


Reference Link →
05/24/2021
CVE-2021-20331
4.2

MONGODB C# DRIVER MAY PUBLISH EVENTS CONTAINING AUTHENTICATION-RELATED DATA TO A
COMMAND LISTENER CONFIGURED BY AN APPLICATION

Specific versions of the MongoDB C# Driver may erroneously publish events
containing authe...

View more...

Affects:

MongoDB C# Driver

versions:

2.12 affects 2.12.1 and prior versions


Reference Link →
04/30/2021
CVE-2021-20326
6.5

SPECIALLY CRAFTED QUERY MAY RESULT IN A DENIAL OF SERVICE OF MONGOD

A user authorized to performing a specific type of find query may trigger a
denial of serv...

View more...

Affects:

MongoDB Server

versions:

4.4 affects versions prior to 4.4.4


Reference Link →
04/12/2021
CVE-2020-7924
4.2

SPECIFIC COMMAND LINE PARAMETER MIGHT RESULT IN ACCEPTING INVALID CERTIFICATE

Usage of specific command line parameter in MongoDB Tools which was originally
intended to...

View more...

Affects:

MongoDB Database Tools

versions:

3.6.5 affects versions prior to 3.6*
4.0 affects versions prior to 4.0.21
4.2 affects versions prior to 4.2.11
100 affects versions prior to 100.2.0


Reference Link →
04/06/2021
CVE-2021-20334
4.8

LOCAL PRIVILEGE ESCALATION IN MONGODB COMPASS FOR WINDOWS

A malicious 3rd party with local access to the Windows machine where MongoDB
Compass is in...

View more...

Affects:

MongoDB Compass

versions:

1.3.0 affects versions prior to 1.x*


Reference Link →
02/26/2021
CVE-2020-7929
6.5

SPECIALLY CRAFTED REGEX QUERY CAN CAUSE DOS

A user authorized to perform database queries may trigger denial of service by
issuing spe...

View more...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.21
4.0 affects versions prior to 4.0.20


Reference Link →
02/26/2021
CVE-2018-25004
4.9

INVARIANT FAILURE WHEN EXPLAINING A FIND WITH A UUID

A user authorized to performing a specific type of query may trigger a denial of
service b...

View more...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.11
4.0 affects versions prior to 4.0.6


Reference Link →
02/25/2021
CVE-2021-20327
6.4

MONGODB NODE.JS CLIENT SIDE FIELD LEVEL ENCRYPTION LIBRARY MAY NOT BE VALIDATING
KMS CERTIFICATE

A specific version of the Node.js mongodb-client-encryption module does not
perform correc...

View more...

Affects:

mongodb-client-encryption module

versions:

1.2.0


Reference Link →
02/25/2021
CVE-2021-20328
6.4

MONGODB JAVA DRIVER CLIENT-SIDE FIELD LEVEL ENCRYPTION NOT VERIFYING KMS HOST
NAME

Specific versions of the Java driver that support client-side field level
encryption (CSFL...

View more...

Affects:

mongo-java-driver

versions:

3.11 affects 3.11.2 and prior versions
3.12 affects 3.12.7 and prior versions


Reference Link →
02/11/2021
CVE-2021-20335
6.7

SSL MAY BE UNEXPECTEDLY DISABLED DURING UPGRADE OF MULTIPLE-SERVER MONGODB OPS
MANAGER

For MongoDB Ops Manager <= 4.2.24 with multiple OM application servers, that
have SSL turn...

View more...

Affects:

Ops Manager

versions:

4.2 affects 4.2.24 and prior versions


Reference Link →
12/01/2020
CVE-2019-20924
6.5

INVARIANT IN INDEXBOUNDSBUILDER

A user authorized to perform database queries may trigger denial of service by
issuing spe...

View more...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.2


Reference Link →
11/30/2020
CVE-2020-7925
7.5

DENIAL OF SERVICE WHEN PROCESSING MALFORMED ROLE NAMES

Incorrect validation of user input in the role name parser may lead to use of
uninitialize...

View more...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.9
4.4 affects versions prior to 4.4.0-rc12


Reference Link →
11/30/2020
CVE-2020-7926
6.5

SPECIFIC QUERY CAN CAUSE A DOS AGAINST MONGODB SERVER

A user authorized to perform database queries may cause denial of service by
issuing a spe...

View more...

Affects:

MongoDB Server

versions:

4.4 affects versions prior to 4.4.1


Reference Link →
11/30/2020
CVE-2020-7927
8.1

POTENTIAL PRIVILEGE ESCALATION IN OPS MANAGER API

Specially crafted API calls may allow an authenticated user who holds
Organization Owner p...

View more...

Affects:

MongoDB Ops Manager

versions:

4.2 affects 4.2.17 and prior versions
4.3 affects 4.3.9 and prior versions
4.4 affects 4.4.2 and prior versions


Reference Link →
11/30/2020
CVE-2019-2392
6.5

$MOD CAN RESULT IN UB

A user authorized to perform database queries may trigger denial of service by
issuing spe...

View more...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.20
4.0 affects versions prior to 4.0.20
4.2 affects versions prior to 4.2.9
4.4 affects versions prior to 4.4.1


Reference Link →
11/30/2020
CVE-2019-2393
6.5

CRASH WHILE JOINING COLLECTIONS WITH $LOOKUP

A user authorized to perform database queries may trigger denial of service by
issuing spe...

View more...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.15
4.0 affects versions prior to 4.0.13
4.2 affects versions prior to 4.2.1


Reference Link →
11/30/2020
CVE-2019-20923
6.5

CRASH WHILE HANDLING INTERNAL JAVASCRIPT EXCEPTION TYPES

A user authorized to perform database queries may trigger denial of service by
issuing spe...

View more...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.7


Reference Link →
11/30/2020
CVE-2018-20802
6.5

POST-AUTH QUERIES ON COMPOUND INDEX MAY CRASH MONGOD

A user authorized to perform database queries may trigger denial of service by
issuing spe...

View more...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.9
4.0 affects versions prior to 4.0.3


Reference Link →
11/30/2020
CVE-2018-20804
6.5

INVARIANT FAILURE IN APPLYOPS

A user authorized to perform database queries may trigger denial of service by
issuing spe...

View more...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.13
4.0 affects versions prior to 4.0.10


Reference Link →
11/30/2020
CVE-2018-20805
6.5

INVARIANT WITH $ELEMMATCH

A user authorized to perform database queries may trigger denial of service by
issuing spe...

View more...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.10
4.0 affects versions prior to 4.0.5


Reference Link →
11/24/2020
CVE-2019-20925
7.5

DENIAL OF SERVICE VIA MALFORMED NETWORK PACKET

An unauthenticated client can trigger denial of service by issuing specially
crafted wire ...

View more...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.1
4.0 affects versions prior to 4.0.13
3.6 affects versions prior to 3.6.15
3.4 affects versions prior to 3.4.24


Reference Link →
11/23/2020
CVE-2020-7928
6.5

IMPROPER NEUTRALIZATION OF NULL BYTE LEADS TO READ OVERRUN

A user authorized to perform database queries may trigger a read overrun and
access arbitr...

View more...

Affects:

MongoDB Server

versions:

4.4 affects versions prior to 4.4.1
4.2 affects versions prior to 4.2.9
4.0 affects versions prior to 4.0.20
3.6 affects versions prior to 3.6.20


Reference Link →
11/23/2020
CVE-2018-20803
6.5

INFINITE LOOP IN AGGREGATION EXPRESSION

A user authorized to perform database queries may trigger denial of service by
issuing spe...

View more...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.5
3.6 affects versions prior to 3.6.10
3.4 affects versions prior to 3.4.19


Reference Link →
08/21/2020
CVE-2020-7923
6.5

SPECIFIC GEOQUERY CAN CAUSE DOS AGAINST MONGODB SERVER

A user authorized to perform database queries may cause denial of service by
issuing speci...

View more...

Affects:

MongoDB Server

versions:

4.4 affects versions prior to 4.4.0-rc7
4.2 affects versions prior to 4.2.8
4.0 affects versions prior to 4.0.19


Reference Link →
05/13/2020
CVE-2019-2388
5.8

POTENTIAL EXPOSURE OF LOG INFORMATION IN OPS MANAGER

In affected Ops Manager versions there is an exposed http route was that may
allow attacke...

View more...

Affects:

Ops Manager

versions:

4.0.9
4.0.10
4.1.5


Reference Link →
05/06/2020
CVE-2020-7921
4.6

ADMINISTRATIVE ACTION MAY DISABLE ENFORCEMENT OF PER-USER IP WHITELISTING

Improper serialization of internal state in the authorization subsystem in
MongoDB Server'...

View more...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.3
4.0 affects versions prior to 4.0.15
3.6 affects versions prior to 3.6.18
4.3 affects versions prior to 4.3.3


Reference Link →
04/09/2020
CVE-2020-7922
6.4

KUBERNETES OPERATOR GENERATES POTENTIALLY INSECURE CERTIFICATES

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may
allow an at...

View more...

Affects:

MongoDB Enterprise Kubernetes Operator

versions:

1.0
1.1
1.2 affects 1.2.4 and prior versions
1.3 affects 1.3.1 and prior versions
1.4 affects 1.4.4 and prior versions


Reference Link →
03/31/2020
CVE-2019-2391
4.2

JS-BSON MAY INCORRECTLY SERIALISE SOME REQUESTS

Incorrect parsing of certain JSON input may result in js-bson not correctly
serializing BS...

View more...

Affects:

js-bson

versions:

1.0 affects 1.1.3 and prior versions


Reference Link →
08/30/2019
CVE-2019-2389
5.3

PROCESS TERMINATION VIA PID FILE MANIPULATION

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init
scripts allow ...

View more...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.11
3.6 affects versions prior to 3.6.14
3.4 affects versions prior to 3.4.22


Reference Link →
08/30/2019
CVE-2019-2390
8.2

CODE EXECUTION ON WINDOWS VIA OPENSSL ENGINE INJECTION

An unprivileged user or program on Microsoft Windows which can create OpenSSL
configuratio...

View more...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.11
3.6 affects versions prior to 3.6.14
3.4 affects versions prior to 3.4.22


Reference Link →
08/06/2019
CVE-2019-2386
7.1

AUTHORIZATION SESSION CONFLATION

After user deletion in MongoDB Server the improper invalidation of authorization
sessions ...

View more...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.9
3.6 affects versions prior to 3.6.13
3.4 affects versions prior to 3.4.22


Reference Link →

English

 * English
 * Português
 * Español
 * 한국어
 * 日本語
 * Italiano
 * Deutsch
 * Français
 * 简体中文

© 2023 MongoDB, Inc.

About

 * Careers
 * Investor Relations
 * Legal Notices
 * Privacy Notices
 * Security Information
 * Trust Center

Support

 * Contact Us
 * Customer Portal
 * Atlas Status
 * Customer Support

Social

 * GitHub
 * Stack Overflow
 * LinkedIn
 * YouTube
 * Twitter
 * Twitch
 * Facebook

© 2023 MongoDB, Inc.




PRIVACY PREFERENCE CENTER

"Cookies" are small files that enable us to store information while you visit
one of our websites. When you visit any website, it may store or retrieve
information on your browser, mostly in the form of cookies. This information
might be about you, your preferences or your device and is mostly used to make
the site work as you expect it to. The information does not usually directly
identify you, but it can give you a more personalized web experience. Because we
respect your right to privacy, you can choose not to allow some types of
cookies, but essential cookies are always enabled. Click on the different
category headings to find out more and change our default settings. However,
blocking some types of cookies may impact your experience of the site and the
services we are able to offer.
MongoDB Privacy Policy
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

SOCIAL MEDIA COOKIES

Social Media Cookies

These cookies are set by a range of social media services that we have added to
the site to enable you to share our content with your friends and networks. They
are capable of tracking your browser across other sites and building up a
profile of your interests. This may impact the content and messages you see on
other websites you visit. If you do not allow these cookies you may not be able
to use or see these sharing tools.


BACK BUTTON PERFORMANCE COOKIES



Vendor Search Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Confirm My Choices


By clicking "Accept All Cookies", you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. You can enable and disable optional cookies as desired.Read
our Privacy Policy

Manage Cookies Accept All Cookies