Post-auth queries on compound index may crash mongod
CVE-2018-20802

6.5MEDIUM

Key Information:

Vendor: MongoDB
Status: Mongodb Server
Vendor: CVE Published:; 23 November 2020

Summary

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3.

Affected Version(s)

MongoDB Server 3.6 < 3.6.9

MongoDB Server 4.0 < 4.0.3

References

https://jira.mongodb.org/browse/SERVER-36993

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 23, 2020
Vulnerability Reserved
Mar 15, 2019