First published: Mon Nov 23 2020(Updated: )
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5; MongoDB Server v3.6 versions prior to 3.6.10 and MongoDB Server v3.4 versions prior to 3.4.19.
Credit: cna@mongodb.com cna@mongodb.com
Affected Software | Affected Version | How to fix |
---|---|---|
MongoDB MongoDB | >=3.4.0<3.4.19 | |
MongoDB MongoDB | >=3.6.0<3.6.10 | |
MongoDB MongoDB | >=4.0.0<4.0.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-20803 is a vulnerability in MongoDB Server versions prior to 4.0.5, 3.6 versions prior to 3.6.10, and 3.4 versions prior to 3.4.19, that allows a user authorized to perform database queries to trigger denial of service by issuing specially crafted queries.
CVE-2018-20803 works by causing an indefinite loop in the mathematics processing of MongoDB Server, while retaining locks, which leads to denial of service.
CVE-2018-20803 has a severity rating of 6.5, which is considered medium.
CVE-2018-20803 affects MongoDB Server versions prior to 4.0.5, 3.6 versions prior to 3.6.10, and 3.4 versions prior to 3.4.19.
To mitigate CVE-2018-20803, it is recommended to update MongoDB Server to version 4.0.5, 3.6.10, or 3.4.19 or later.