CVE-2019-20925
Published: 24 November 2020
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.
Notes
Author | Note |
---|---|
msalvatore | Introduced by https://github.com/mongodb/mongo/commit/91800fc61913358350b658406065c5d893d2ba2c |
Priority
Status
Package | Release | Status |
---|---|---|
mongodb Launchpad, Ubuntu, Debian |
bionic |
Released
(1:3.6.3-0ubuntu1.4)
|
focal |
Released
(1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3)
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Released
(3.6.15, 4.0.13, 4.2.1, 4.3.1, 3.4.24)
|
|
xenial |
Not vulnerable
(code not present)
|
|
Patches: upstream: https://github.com/mongodb/mongo/commit/c1a956e084d39e6da75cd347e63d0064ed9151a8 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |