CVE-2012-6619
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
6.4
Description
The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| mongodb | mongodb | 2.0.6 | |
| mongodb | mongodb | {"endIncluding":"2.3.1"} | |
| mongodb | mongodb | 1.2.0 | |
| mongodb | mongodb | 1.4.0 | |
| mongodb | mongodb | 1.6.0 | |
| mongodb | mongodb | 1.8.0 | |
| mongodb | mongodb | 2.0.0 | |
| mongodb | mongodb | 2.0.1 | |
| mongodb | mongodb | 2.0.2 | |
| mongodb | mongodb | 2.0.3 | |
| mongodb | mongodb | 2.0.4 | |
| mongodb | mongodb | 2.0.5 | |
| mongodb | mongodb | 2.0.7 | |
| mongodb | mongodb | 2.0.8 | |
| mongodb | mongodb | 2.2.0 | |
| mongodb | mongodb | 2.2.1 | |
| mongodb | mongodb | 2.2.2 | |
| mongodb | mongodb | 2.2.3 | |
| mongodb | mongodb | 2.2.4 | |
| mongodb | mongodb | 2.2.5 | |
| mongodb | mongodb | 2.2.6 | |
| mongodb | mongodb | 2.2.7 | |
| mongodb | mongodb | 2.3.0 | |
References
- http://blog.ptsecurity.com/2012/11/attacking-mongodb.html
- http://rhn.redhat.com/errata/RHSA-2014-0230.html
- http://rhn.redhat.com/errata/RHSA-2014-0440.html
- http://www.openwall.com/lists/oss-security/2014/01/07/13
- http://www.openwall.com/lists/oss-security/2014/01/07/2
- http://www.openwall.com/lists/oss-security/2014/01/08/9
- https://bugzilla.redhat.com/show_bug.cgi?id=1049748
- https://jira.mongodb.org/browse/SERVER-7769
- http://blog.ptsecurity.com/2012/11/attacking-mongodb.html
- http://rhn.redhat.com/errata/RHSA-2014-0230.html
- http://rhn.redhat.com/errata/RHSA-2014-0440.html
- http://www.openwall.com/lists/oss-security/2014/01/07/13
- http://www.openwall.com/lists/oss-security/2014/01/07/2
- http://www.openwall.com/lists/oss-security/2014/01/08/9
- https://bugzilla.redhat.com/show_bug.cgi?id=1049748
- https://jira.mongodb.org/browse/SERVER-7769
CWEs
CWE-20
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.