%20--%3e%3csvg%20version='1.1'%20id='Layer_1'%20x='0px'%20y='0px'%20viewBox='0%200%20107.30001%20140.79999'%20xml:space='preserve'%20sodipodi:docname='mind_logo_positief.svg'%20width='107.30001'%20height='140.79999'%20xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape'%20xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd'%20xmlns='http://www.w3.org/2000/svg'%20xmlns:svg='http://www.w3.org/2000/svg'%3e%3cdefs%20id='defs29'%20/%3e%3csodipodi:namedview%20id='namedview29'%20pagecolor='%23505050'%20bordercolor='%23eeeeee'%20borderopacity='1'%20inkscape:showpageshadow='0'%20inkscape:pageopacity='0'%20inkscape:pagecheckerboard='0'%20inkscape:deskcolor='%23d1d1d1'%3e%3cinkscape:page%20x='0'%20y='0'%20width='107.30001'%20height='140.79999'%20id='page2'%20margin='0'%20bleed='0'%20/%3e%3c/sodipodi:namedview%3e%3cstyle%20type='text/css'%20id='style1'%3e%20.st0{fill:%231F1FA3;}%20.st1{fill:url(%23SVGID_1_);}%20.st2{fill:url(%23SVGID_00000033333245342322421190000001486717665348835473_);}%20.st3{fill:url(%23SVGID_00000075852413222229328580000001131059578544388517_);}%20%3c/style%3e%3cg%20id='g9'%20transform='translate(-21.299999,-20.6)'%3e%3clinearGradient%20id='SVGID_1_'%20gradientUnits='userSpaceOnUse'%20x1='4.8695998'%20y1='142.78'%20x2='99.248901'%20y2='35.348301'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop4'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop5'%20/%3e%3c/linearGradient%3e%3crect%20x='21.299999'%20y='64'%20class='st1'%20width='19.9'%20height='97.400002'%20id='rect5'%20style='fill:url(%23SVGID_1_)'%20/%3e%3clinearGradient%20id='SVGID_00000007421653842672228110000012418760815982452352_'%20gradientUnits='userSpaceOnUse'%20x1='23.7796'%20y1='159.3925'%20x2='118.1588'%20y2='51.9608'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop6'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop7'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000007421653842672228110000012418760815982452352_)'%20d='M%2072.3,64%20H%2064%20v%2075.2%20H%2085.1%20V%2076.8%20C%2085.1,69.7%2079.4,64%2072.3,64%20Z'%20id='path7'%20/%3e%3clinearGradient%20id='SVGID_00000072986549029232277750000008760038133176911550_'%20gradientUnits='userSpaceOnUse'%20x1='20.501699'%20y1='156.51289'%20x2='114.881'%20y2='49.0812'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop8'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop9'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000072986549029232277750000008760038133176911550_)'%20d='M%2073.6,20.6%20H%2064%20v%2019.9%20h%209.6%20c%2019.3,0%2035.1,15.7%2035.1,35.1%20v%2044.3%20h%2019.9%20V%2075.6%20c%200,-30.3%20-24.7,-55%20-55,-55%20z'%20id='path9'%20/%3e%3c/g%3e%3c/svg%3e)
Name
mongodb
Version
4.4.24
Type
library
Description
mongodb
Licenses
SSPL-1 & Apache-2.0 & Zlib
PURL
-
CPE
cpe:2.3:*:*:mongodb:4.4.24:*:*:*:*:*:*:*
Other Versions#
Patches#
#
Title
Author
Resolve
1
IntelRDFPMathLib20U1: Check for __DEFINED_wchar_t
Vincent Prince <vincent.prince.fr@gmail.com>
2
asio: Dont use experimental with clang
Vincent Prince <vincent.prince.fr@gmail.com>
3
apply msvc workaround for clang >= 16
Khem Raj <raj.khem@gmail.com>
4
Patch #4
Unknown
5
stacktrace: Define ARCH_BITS for ppc64
Khem Raj <raj.khem@gmail.com>
6
Tell scons to use build settings from environment
Vincent Prince <vincent.prince.fr@gmail.com>
7
wiredtiger: Avoid using off64_t
Khem Raj <raj.khem@gmail.com>
8
Fix build on 32bit
Martin Jansa <martin.jansa@gmail.com>
9
The std lib unary/binary_function base classes are
jzmaddock <john@johnmaddock.co.uk>
10
include needed c++ header
Khem Raj <raj.khem@gmail.com>
11
Use long long instead of int64_t
Khem Raj <raj.khem@gmail.com>
12
Support deprecated resolver functions
Khem Raj <raj.khem@gmail.com>
13
Fix compilation with -fno-common.
Yichao Yu <yyc1992@gmail.com>
14
Use __GLIBC__ to control use of gnu_get_libc_version
Vincent Prince <vincent.prince.fr@gmail.com>
15
Fix type mismatch on 32bit arches
Khem Raj <raj.khem@gmail.com>
16
Fix default stack size to 256K
Khem Raj <raj.khem@gmail.com>
17
free_mon: Include missing <cstdint>
Khem Raj <raj.khem@gmail.com>
18
Add a definition for the macro __ELF_NATIVE_CLASS
Khem Raj <raj.khem@gmail.com>
19
Mark one of strerror_r implementation glibc specific
Khem Raj <raj.khem@gmail.com>
20
Patch #20
Khem Raj <raj.khem@gmail.com>
21
stacktrace: Define ARCH_BITS for x86
Khem Raj <raj.khem@gmail.com>
22
wiredtiger: Disable strtouq on musl
Khem Raj <raj.khem@gmail.com>
23
server: Adjust the cache alignment assumptions
Khem Raj <raj.khem@gmail.com>
24
ssl_manager.cpp: fix build with gcc 7 and -fpermissive
Fabrice Fontaine <fontaine.fabrice@gmail.com>
25
add explict static_cast<size_t> to maxMemoryUsageBytes
Khem Raj <raj.khem@gmail.com>
26
Add alises for arm64 which is same as aarch64
Vincent Prince <vincent.prince.fr@gmail.com>
Vulnerabilities#
Name
Analysis
Description
Exploitable
The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.
Exploitable
A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the server to access memory that has already been freed. This may result in disclosure of information from the mongod process memory or a denial of service through a server crash.
Exploitable
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
Exploitable
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.
Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.
False Positive
The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. Any local user who has access to system running skyring service will be able to get password in plain text.
False Positive
MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service.