CVE-2019-20925

Published Nov 24, 2020

Last updated 2 months ago

CVSS high 7.5

Overview

Description: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.
Source: cna@mongodb.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:N/I:N/A:P

Weaknesses

nvd@nist.gov: CWE-697
cna@mongodb.com: CWE-839

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EB29E1D7-7E63-4038-9F3E-4787B8BE0761",
            "versionEndExcluding": "3.4.24",
            "versionStartIncluding": "3.4.0"
          },
          {
            "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "295BD300-FE65-4A87-A3E6-2B7CA845FD52",
            "versionEndExcluding": "3.6.15",
            "versionStartIncluding": "3.6.0"
          },
          {
            "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D6052EEF-CD59-4E96-9C8F-054245771F62",
            "versionEndExcluding": "4.0.13",
            "versionStartIncluding": "4.0.0"
          },
          {
            "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "92555477-B2C9-486C-8583-42C407047811",
            "versionEndExcluding": "4.2.1",
            "versionStartIncluding": "4.2.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References