First published: Mon Mar 01 2021(Updated: )
A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11.
Credit: cna@mongodb.com cna@mongodb.com
Affected Software | Affected Version | How to fix |
---|---|---|
MongoDB MongoDB | >=3.6.0<3.6.11 | |
MongoDB MongoDB | >=4.0.0<4.0.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-25004 is a vulnerability that allows a user authorized to performing a specific type of query in MongoDB Server versions prior to 4.0.6 and 3.6.11 to trigger a denial of service by issuing a generic explain command on a find query.
CVE-2018-25004 affects MongoDB Server v4.0 versions prior to 4.0.6 and v3.6 versions prior to 3.6.11.
CVE-2018-25004 has a severity rating of 4.9, which is considered medium.
CVE-2018-25004 can be exploited by a user authorized to perform a specific type of query in MongoDB Server by issuing a generic explain command on a find query.
Yes, MongoDB Inc. has released patches for CVE-2018-25004. Users should update to MongoDB Server v4.0.6 or v3.6.11 to fix the vulnerability.