-
Type: Bug
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: 3.0.0
-
Component/s: Index Maintenance
-
Fully Compatible
-
ALL
ISSUE SUMMARY
MongoDB is susceptible to a denial of service (crash) due to failure to check for missing value.
When running with authentication, an attacker needs to be successfully authenticated into MongoDB and have write access to a database to be able to exploit this vulnerability.
USER IMPACT
Remote attackers may cause a denial of service (crash).
WORKAROUNDS
N/A
AFFECTED VERSIONS
MongoDB 3.0.0 is affected by this issue.
FIX VERSION
The fix is included in the 3.0.1 production releases.
RESOLUTION DETAILS
Improve validation of affected field.
ADDITIONAL INFORMATION
This vulnerability was discovered by Xiaopeng Zhang of Fortinet's FortiGuard Labs.
CVE-2015-2705 has been designated for this issue. We rate this issue with a CVSS of 6.8
Users may reduce their exposure by limiting network access to the server. See the MongoDB Security documentation page for more information on recommended security practices for your MongoDB deployment.