CVE-2019-20925

Published Nov 24, 2020

Last updated 6 months ago

CVSS high 7.5

Overview

Description: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.
Source: cna@mongodb.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:N/I:N/A:P

Weaknesses

cna@mongodb.com: CWE-839
nvd@nist.gov: CWE-697

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EB29E1D7-7E63-4038-9F3E-4787B8BE0761",
            "versionEndExcluding": "3.4.24",
            "versionStartIncluding": "3.4.0"
          },
          {
            "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "295BD300-FE65-4A87-A3E6-2B7CA845FD52",
            "versionEndExcluding": "3.6.15",
            "versionStartIncluding": "3.6.0"
          },
          {
            "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D6052EEF-CD59-4E96-9C8F-054245771F62",
            "versionEndExcluding": "4.0.13",
            "versionStartIncluding": "4.0.0"
          },
          {
            "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "92555477-B2C9-486C-8583-42C407047811",
            "versionEndExcluding": "4.2.1",
            "versionStartIncluding": "4.2.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References