Bug 1934765 (CVE-2018-25004)
Summary: | CVE-2018-25004 mongodb: Denial of service through generic explain command on a find query | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | athomas, bkearney, databases-maint, hhorak, jjoyce, jorton, jschluet, lhh, lpeer, mburns, sclewis, slinaber |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mongodb 3.6.11, mongodb 4.0.6, mongodb 4.1.7 | Doc Type: | If docs needed, set a value |
Doc Text: |
An improper input validation flaw causing a denial-of-service found in MongoDB. An attacker can perform a specific type of query which issues a generic explain command on a find query causing denial-of-service. The highest threat from this vulnerability is to the system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1940520, 1944735 | ||
Bug Blocks: | 1934768 |
Description
Pedro Sampaio
2021-03-03 19:33:29 UTC
Upstream patches: https://github.com/mongodb/mongo/commit/722f06f3217c029ef9c50062c8cc775966fd7ead [master] https://github.com/mongodb/mongo/commit/d315547544d7146b93a8e6e94cc4b88cd0d19c95 [v4.0] https://github.com/mongodb/mongo/commit/5c7c6729c37514760fd34da462b6961a2e385417 [v3.6] External References: https://jira.mongodb.org/browse/SERVER-38275 |