1900860 – (CVE-2020-7925) CVE-2020-7925 mongodb: Incorrect validation of user input in the role name parser

Bug 1900860 (CVE-2020-7925) - CVE-2020-7925 mongodb: Incorrect validation of user input in the role name parser

Summary: CVE-2020-7925 mongodb: Incorrect validation of user input in the role name pa...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-7925
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1900861
Blocks:	1900872
TreeView+	depends on / blocked

Reported:	2020-11-23 20:55 UTC by Pedro Sampaio
Modified:	2021-02-13 00:09 UTC (History)
CC List:	26 users (show)
Fixed In Version:	mongodb 3.6.19, mongodb 4.0.20, mongodb 4.2.9, mongodb 4.4.0-rc12, mongodb 4.7.0
Clone Of:
Environment:
Last Closed:	2020-12-02 11:33:51 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2020-11-23 20:55:30 UTC

Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9.

Upstream bug:

https://jira.mongodb.org/browse/SERVER-49142

Comment 1 Pedro Sampaio 2020-11-23 20:56:15 UTC

Created mongodb tracking bugs for this issue:

Affects: epel-all [bug 1900861]

Comment 2 Yadnyawalk Tale 2020-11-30 17:39:13 UTC

Red Hat Satellite 6.6 onward does not ship the MongoDB package; however, the product consumes MongoDB from Red Hat Software Collections (RHSCL) for Red Hat Enterprise Linux. Satellite has no plans to update to a version of MongoDB released with a Server Side Public License (SSPL) which includes all versions released after October 16, 2018. Refer to this article for more information: https://access.redhat.com/articles/5767021

Comment 3 Riccardo Schirone 2020-12-01 10:42:35 UTC

Upstream patch:
https://github.com/mongodb/mongo/commit/c7f14b7be4a1f622fe81ef60f946a5aac17f3d0e

Comment 4 Riccardo Schirone 2020-12-02 09:51:01 UTC

Please note that even if the issue was fixed in 3.6, that version is not affected by this flaw. See https://jira.mongodb.org/browse/SERVER-49142?focusedCommentId=3512026&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-3512026 for more details.

Comment 5 Product Security DevOps Team 2020-12-02 11:33:51 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7925

Note You need to log in before you can comment on or make changes to this bug.

admiller
athomas
bkearney
clalancette
databases-maint
dbecker
gghezzo
gparvin
hhorak
jjoyce
jorton
jpacner
jramanat
jschluet
jweiser
lhh
lpeer
mburns
mskalicky
panovotn
sclewis
slinaber
stcannon
strobert
tdawson
thee