CVE-2019-20925

Summary

An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.

Affected Software

VendorProductVersion RangeStatus
MongoDB Inc.MongoDB Server4.2 < 4.2.1affected
MongoDB Inc.MongoDB Server4.0 < 4.0.13affected
MongoDB Inc.MongoDB Server3.6 < 3.6.15affected
MongoDB Inc.MongoDB Server3.4 < 3.4.24affected

Weaknesses

  • CWE-839: CWE-839: Numeric Range Comparison Without Minimum Check

ADP Enrichment

CVE Program Container

Additional References

References