Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-6619

Overview

Vulnerability Score 6.4 6.4
CVE Id CVE-2012-6619
Last Modified 06 May 2014 11:45:15
Published 06 Mar 2014 10:55:28
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2012-6619

Summary

The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read.

Vulnerable Systems

Application

  • Mongodb 1.2.0

  • Mongodb 1.4.0

  • Mongodb 1.6.0

  • Mongodb 1.8.0

  • Mongodb 2.0.0

  • Mongodb 2.0.1

  • Mongodb 2.0.2

  • Mongodb 2.0.3

  • Mongodb 2.0.4

  • Mongodb 2.0.5

  • Mongodb 2.0.6

  • Mongodb 2.0.7

  • Mongodb 2.0.8

  • Mongodb 2.2.0

  • Mongodb 2.2.1

  • Mongodb 2.2.2

  • Mongodb 2.2.3

  • Mongodb 2.2.4

  • Mongodb 2.2.5

  • Mongodb 2.2.6

  • Mongodb 2.2.7

  • Mongodb 2.3.0

  • Mongodb 2.3.1


References

CONFIRM - https://jira.mongodb.org/browse/SERVER-7769

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1049748

MLIST - [oss-security] 20140108 Re: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)

MLIST - [oss-security] 20140107 MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)

MLIST - [oss-security] 20140107 Re: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)

REDHAT - RHSA-2014:0230

MISC - http://blog.ptsecurity.com/2012/11/attacking-mongodb.html

REDHAT - RHSA-2014:0440


Last Updated: 27 May 2016 11:04:34