CVE-2019-20925
Published: 24 November 2020
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.
Notes
| Author | Note |
|---|---|
| msalvatore | Introduced by https://github.com/mongodb/mongo/commit/91800fc61913358350b658406065c5d893d2ba2c |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
mongodb Launchpad, Ubuntu, Debian |
bionic |
Released
(1:3.6.3-0ubuntu1.4)
|
| focal |
Released
(1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3)
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Released
(3.6.15, 4.0.13, 4.2.1, 4.3.1, 3.4.24)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches: upstream: https://github.com/mongodb/mongo/commit/c1a956e084d39e6da75cd347e63d0064ed9151a8 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |