{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Server", "vendor": "MongoDB Inc.", "versions": [{"lessThan": "4.4.0-rc7", "status": "affected", "version": "4.4", "versionType": "custom"}, {"lessThan": "4.2.8", "status": "affected", "version": "4.2", "versionType": "custom"}, {"lessThan": "4.0.19", "status": "affected", "version": "4.0", "versionType": "custom"}]}], "datePublic": "2020-08-20T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19.</p>"}], "value": "A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-755", "description": "CWE-755 Improper Handling of Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T15:13:08.850Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.mongodb.org/browse/SERVER-47773"}], "source": {"defect": ["SECURITY-658"], "discovery": "INTERNAL"}, "title": "Specific GeoQuery can cause DoS against MongoDB Server", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@mongodb.com", "DATE_PUBLIC": "2020-08-21T14:40:00.000Z", "ID": "CVE-2020-7923", "STATE": "PUBLIC", "TITLE": "Specific GeoQuery can cause DoS against MongoDB Server"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MongoDB Server", "version": {"version_data": [{"version_affected": "<", "version_name": "4.4", "version_value": "4.4.0-rc7"}, {"version_affected": "<", "version_name": "4.2", "version_value": "4.2.8"}, {"version_affected": "<", "version_name": "4.0", "version_value": "4.0.19"}]}}]}, "vendor_name": "MongoDB Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc7; v4.2 versions prior to 4.2.8; v4.0 versions prior to 4.0.19."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-755 Improper Handling of Exceptional Conditions"}]}]}, "references": {"reference_data": [{"name": "https://jira.mongodb.org/browse/SERVER-47773", "refsource": "MISC", "url": "https://jira.mongodb.org/browse/SERVER-47773"}]}, "source": {"defect": ["SECURITY-658"], "discovery": "INTERNAL"}}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-7923", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T18:48:55.411971Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mongodb:mongodb:-:*:*:*:*:*:*:*"], "vendor": "mongodb", "product": "mongodb", "versions": [{"status": "affected", "version": "4.4"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:12:12.302Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:24.552Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.mongodb.org/browse/SERVER-47773"}]}]}, "cveMetadata": {"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "assignerShortName": "mongodb", "cveId": "CVE-2020-7923", "datePublished": "2020-08-21T14:25:12.201543Z", "dateReserved": "2020-01-23T00:00:00", "dateUpdated": "2024-09-17T02:27:47.252Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://jira.mongodb.org/browse/SERVER-47773", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:24.552Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-7923", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T18:48:55.411971Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mongodb:mongodb:-:*:*:*:*:*:*:*"], "vendor": "mongodb", "product": "mongodb", "versions": [{"status": "affected", "version": "4.4"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-22T18:48:10.220Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Specific GeoQuery can cause DoS against MongoDB Server", "source": {"defect": ["SECURITY-658"], "discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MongoDB Inc.", "product": "MongoDB Server", "versions": [{"status": "affected", "version": "4.4", "lessThan": "4.4.0-rc7", "versionType": "custom"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.8", "versionType": "custom"}, {"status": "affected", "version": "4.0", "lessThan": "4.0.19", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2020-08-20T23:00:00.000Z", "references": [{"url": "https://jira.mongodb.org/browse/SERVER-47773", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19.", "supportingMedia": [{"type": "text/html", "value": "<p>A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-755", "description": "CWE-755 Improper Handling of Exceptional Conditions"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T15:13:08.850Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, "source": {"defect": ["SECURITY-658"], "discovery": "INTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "4.4", "version_value": "4.4.0-rc7", "version_affected": "<"}, {"version_name": "4.2", "version_value": "4.2.8", "version_affected": "<"}, {"version_name": "4.0", "version_value": "4.0.19", "version_affected": "<"}]}, "product_name": "MongoDB Server"}]}, "vendor_name": "MongoDB Inc."}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://jira.mongodb.org/browse/SERVER-47773", "name": "https://jira.mongodb.org/browse/SERVER-47773", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc7; v4.2 versions prior to 4.2.8; v4.0 versions prior to 4.0.19."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-755 Improper Handling of Exceptional Conditions"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-7923", "STATE": "PUBLIC", "TITLE": "Specific GeoQuery can cause DoS against MongoDB Server", "ASSIGNER": "cna@mongodb.com", "DATE_PUBLIC": "2020-08-21T14:40:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2020-7923", "state": "PUBLISHED", "dateUpdated": "2024-09-17T02:27:47.252Z", "dateReserved": "2020-01-23T00:00:00", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "datePublished": "2020-08-21T14:25:12.201543Z", "assignerShortName": "mongodb"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "38CB828C-5F5F-476C-9644-543FDB6573BA", "versionEndExcluding": "4.0.19", "versionStartIncluding": "4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DA31477-9685-4A7D-888E-45222DC780C9", "versionEndExcluding": "4.2.8", "versionStartIncluding": "4.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B0B3E97-0E31-4904-95C6-1F7B8252606D", "versionEndExcluding": "4.4.0", "versionStartIncluding": "4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19."}, {"lang": "es", "value": "Un usuario autorizado para llevar a cabo consultas en la base de datos puede causar una denegaci\u00f3n de servicio al emitir consultas especialmente dise\u00f1adas, que violan una invariante en el soporte del subsistema de consultas para geoNear. Este problema afecta a: MongoDB Server de MongoDB Inc versiones v4.4 anteriores a 4.4.0-rc7; versiones v4.2 anteriores a 4.2.8; versiones v4.0 anteriores a 4.0.19"}], "id": "CVE-2020-7923", "lastModified": "2024-11-21T05:38:01.127", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cna@mongodb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-21T15:15:13.273", "references": [{"source": "cna@mongodb.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/SERVER-47773"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/SERVER-47773"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "cna@mongodb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mongodb: GeoQuery can lead to DoS", "id": "1871252", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871252"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19.", "A flaw was found in mongodb. A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. The highest threat from this vulnerability is to system availability."], "name": "CVE-2020-7923", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "mongodb", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "mongodb", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "impact": "low", "package_name": "mongodb", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-mongodb34-mongodb", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-mongodb36-mongodb", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Will not fix", "impact": "low", "package_name": "mongodb", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2020-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-7923\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7923"], "statement": "Red Hat Satellite 6.6 onward does not ship the MongoDB package; however, the product consumes MongoDB from Red Hat Software Collections (RHSCL) for Red Hat Enterprise Linux. Satellite has no plans to update to a version of MongoDB released with a Server Side Public License (SSPL) which includes all versions released after October 16, 2018. Refer to this article for more information: https://access.redhat.com/articles/5767021\nRed Hat Update Infrastructure 3 ships an affected version of mongodb, however it does not use GeoQuery and it is not vulnerable to this flaw.", "threat_severity": "Moderate", "upstream_fix": "mongodb 4.5.1, mongodb 4.0.19, mongodb 4.2.8, mongodb 4.4.0-rc7"}