Bug 1934763 (CVE-2020-7929)
| Summary: | CVE-2020-7929 mongodb: Denial of service through specially crafted regex | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | athomas, bkearney, databases-maint, hhorak, jjoyce, jorton, jschluet, lhh, lpeer, mburns, sclewis, slinaber |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mongodb 3.6.21, mongodb 4.0.20 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in mongodb. A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for $regex. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1940401 | ||
| Bug Blocks: | 1934766, 1934767, 1934769 | ||
|
Description
Pedro Sampaio
2021-03-03 19:23:37 UTC
Upstream patches: https://github.com/mongodb/mongo/commit/64095239f41e9f3841d8be9088347db56d35c891 [v4.0] https://github.com/mongodb/mongo/commit/b0ef26c639112b50648a02d969298650fbd402a4 [v3.6] https://github.com/mongodb/mongo/commit/51caad0e005e1a6dc1bd529cb809ba0d7d5eef0d [v3.6] External References: https://jira.mongodb.org/browse/SERVER-51083 |