Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17521

improve createIndex validation of empty name

    • Fully Compatible
    • ALL

      Issue Status as of Mar 27, 2015

      ISSUE SUMMARY
      MongoDB is susceptible to a denial of service (crash) due to failure to check for missing value.

      When running with authentication, an attacker needs to be successfully authenticated into MongoDB and have write access to a database to be able to exploit this vulnerability.

      USER IMPACT
      Remote attackers may cause a denial of service (crash).

      WORKAROUNDS
      N/A

      AFFECTED VERSIONS
      MongoDB 3.0.0 is affected by this issue.

      FIX VERSION
      The fix is included in the 3.0.1 production releases.

      RESOLUTION DETAILS
      Improve validation of affected field.

      ADDITIONAL INFORMATION
      This vulnerability was discovered by Xiaopeng Zhang of Fortinet's FortiGuard Labs.

      CVE-2015-2705 has been designated for this issue. We rate this issue with a CVSS of 6.8

      Users may reduce their exposure by limiting network access to the server. See the MongoDB Security documentation page for more information on recommended security practices for your MongoDB deployment.

            Assignee:
            eliot Eliot Horowitz (Inactive)
            Reporter:
            eliot Eliot Horowitz (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: