CVE-2018-25004 MEDIUM

CVE-2018-25004: Invariant failure when explaining a find with a UUID

Vendor Mongodb Inc.
Product MongoDB Server
Weakness CWE-20 · Input validation
Published March 1, 2021
Last update November 19, 2024

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11.

Key dates

02Disclosure timeline

March 1, 2021 CVE published
November 19, 2024 Record updated