First published: Mon Nov 23 2020(Updated: )
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.
Credit: cna@mongodb.com cna@mongodb.com
Affected Software | Affected Version | How to fix |
---|---|---|
>=3.6.0<3.6.20 | ||
>=4.0.0<4.0.20 | ||
>=4.2.0<4.2.9 | ||
>=4.4.0<4.4.1 | ||
MongoDB MongoDB | >=3.6.0<3.6.20 | |
MongoDB MongoDB | >=4.0.0<4.0.20 | |
MongoDB MongoDB | >=4.2.0<4.2.9 | |
MongoDB MongoDB | >=4.4.0<4.4.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2019-2392.
The severity of CVE-2019-2392 is medium, with a severity value of 6.5.
CVE-2019-2392 affects MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.
This vulnerability can be exploited by a user authorized to perform database queries by issuing specially crafted queries that use the $mod operator to overflow negative values.
Yes, the fix for CVE-2019-2392 is included in MongoDB Server version 4.4.1, 4.2.9, 4.0.20, and 3.6.20.