Bug 1934765 (CVE-2018-25004)
| Summary: | CVE-2018-25004 mongodb: Denial of service through generic explain command on a find query | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | athomas, bkearney, databases-maint, hhorak, jjoyce, jorton, jschluet, lhh, lpeer, mburns, sclewis, slinaber |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mongodb 3.6.11, mongodb 4.0.6, mongodb 4.1.7 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An improper input validation flaw causing a denial-of-service found in MongoDB. An attacker can perform a specific type of query which issues a generic explain command on a find query causing denial-of-service. The highest threat from this vulnerability is to the system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1940520, 1944735 | ||
| Bug Blocks: | 1934768 | ||
|
Description
Pedro Sampaio
2021-03-03 19:33:29 UTC
Upstream patches: https://github.com/mongodb/mongo/commit/722f06f3217c029ef9c50062c8cc775966fd7ead [master] https://github.com/mongodb/mongo/commit/d315547544d7146b93a8e6e94cc4b88cd0d19c95 [v4.0] https://github.com/mongodb/mongo/commit/5c7c6729c37514760fd34da462b6961a2e385417 [v3.6] External References: https://jira.mongodb.org/browse/SERVER-38275 |