pkg:Bitnami/mongodb

所有已知漏洞

• HIGH7.5CVE-2025-14847⚠ KEVZlib compressed protocol header length confusion may allow memory read
  >= 4.4.0, < 4.4.30, >= 5.0.0, < 5.0.32, >= 6.0.0, < 6.0.27, >= 7.0.0, < 7.0.28, >= 8.0.0, < 8.0.17, >= 8.2.0, < 8.2.3
• CRITICAL9.8CVE-2025-3085MongoDB Server running on Linux may allow unexpected connections where intermediate certificates are revoked
  >= 5.0.0, < 5.0.31, >= 6.0.0, < 6.0.20, >= 7.0.0, < 7.0.16, >= 8.0.0, < 8.0.4
• CRITICAL9.8MongoDB Server may access non-initialized region of memory leading to unexpected behaviour
  >= 6.0.0, < 6.0.15
• CRITICAL9.8MongoDB Server may allow successful untrusted connection
  >= 4.4.0, < 5.0.26, >= 6.0.0, < 6.0.14, >= 7.0.0, < 7.0.7
• HIGH8.8Running certain aggregation operations with the SBE engine may lead to unexpected behavior on MongoDB Server
  >= 6.0.0, < 6.0.21, >= 7.0.0, < 7.0.17, >= 8.0.0, < 8.0.4
• HIGH8.1Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server
  >= 5.0.0, < 5.0.30, >= 6.0.0, < 6.0.19, >= 7.0.0, < 7.0.15, >= 8.0.0, < 8.0.3
• HIGH7.8Accessing Untrusted Directory May Allow Local Privilege Escalation
  >= 5.0.0, < 5.0.27, >= 6.0.0, < 6.0.16, >= 7.0.0, < 7.0.12
• HIGH7.5Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections
  >= 6.0.0, < 6.0.23, >= 7.0.0, < 7.0.20, >= 8.0.0, < 8.0.9
• HIGH7.5Malformed MongoDB wire protocol messages may cause mongos to crash
  >= 5.0.0, < 5.0.31, >= 6.0.0, < 6.0.20, >= 7.0.0, < 7.0.16
• HIGH7.5MongoDB Server may have unexpected application behaviour due to invalid BSON
  >= 5.0.0, < 5.0.25, >= 6.0.0, < 6.0.14, >= 7.0.0, < 7.0.6
• HIGH7.5MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation
  >= 6.0.0, < 6.0.25, >= 7.0.0, < 7.0.22, >= 8.0.0, < 8.0.12
• HIGH7.5Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB
  >= 6.0.0, < 6.0.21, >= 7.0.0, < 7.0.17, >= 8.0.0, < 8.0.5
• HIGH7.5Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication
  >= 6.0.0, < 6.0.21, >= 7.0.0, < 7.0.17, >= 8.0.0, < 8.0.5
• HIGH7.5MongoDB C Driver bson library may be susceptible to buffer overflow
  >= 7.0.0, < 7.0.16, >= 8.0.0, < 8.0.1
• HIGH7.5Denial of Service when processing malformed Role names
  >= 4.2.0, < 4.2.9
• HIGH7.5Large aggregation pipelines with a specific stage can crash mongod under default configuration
  >= 4.2.0, < 4.2.16, >= 4.4.0, < 4.4.11, >= 5.0.0, < 5.0.4
• HIGH7.5Certificate validation issue in MongoDB Server running on Windows or macOS
  >= 4.4.0, < 4.4.23, >= 5.0.0, < 5.0.15, >= 6.0.0, < 6.0.7, >= 6.3.0, < 6.3.3
• HIGH7.1Denial of Service and Data Integrity vulnerability in features command
  >= 2.0.0, < 4.2.18, >= 4.4.0, < 4.4.10, >= 5.0.0, < 5.0.4
• MEDIUM6.7MongoDB Server binaries may load potentially insecure shared libraries from specific relative paths
  >= 5.0.0, < 5.0.26, >= 6.0.0, < 6.0.14, >= 6.1.0, < 7.0.7
• MEDIUM6.5Use-after-free in the MongoDB server query planner may lead to crash or undefined behavior
  >= 7.0.0, < 7.0.25, >= 8.0.0, < 8.0.15
• MEDIUM6.5Certain Queries with Duplicate _id Fields May Cause MongoDB Server to Crash
  >= 8.1.0, < 8.2.0
• MEDIUM6.5MongoDB Server may be susceptible to privilege escalation due to $mergeCursors stage
  >= 6.0.0, < 6.0.22, >= 7.0.0, < 7.0.19, >= 8.0.0, < 8.0.7
• MEDIUM6.5MongoDB Server may be susceptible to DoS due to Accumulated Memory Allocation
  >= 8.0.0, < 8.0.10
• MEDIUM6.5MongoDB Server may crash due to improper validation of explain command
  >= 5.0.0, < 5.0.31, >= 6.0.0, < 6.0.20, >= 7.0.0, < 7.0.16, >= 8.0.0, < 8.0.4
• MEDIUM6.5MongoDB Server router will crash when incorrect lsid is set on a sharded query
  >= 6.0.0, < 6.0.24, >= 7.0.0, < 7.0.18, >= 8.0.0, < 8.0.6
• MEDIUM6.5Malformed $group Query May Cause MongoDB Server to Crash
  >= 6.0.0, < 6.0.25, >= 7.0.0, < 7.0.22, >= 8.0.0, < 8.0.12, >= 8.1.0, < 8.1.2
• MEDIUM6.5MongoDB Server secondaries may crash due to forced index constraints
  >= 6.0.0, < 6.0.17, >= 7.0.0, < 7.0.14
• MEDIUM6.5Missing authorization check may lead to shard key refinement
  >= 5.0.0, < 5.0.22, >= 6.0.0, < 6.0.11, >= 7.0.0, < 7.0.3
• MEDIUM6.5Specific query can cause a DoS against MongoDB Server
  >= 4.4.0, < 4.4.1
• MEDIUM6.5Improper neutralization of null byte leads to read overrun
  >= 3.6.0, < 3.6.20, >= 4.0.0, < 4.0.20, >= 4.2.0, < 4.2.9, >= 4.4.0, < 4.4.1, >= 4.5.0, < 4.5.1
• MEDIUM6.5Specially crafted regex query can cause DoS
  >= 3.6.0, < 3.6.21, >= 4.0.0, < 4.0.20
• MEDIUM6.5Specially crafted query may result in a denial of service of mongod
  >= 4.4.0, < 4.4.4
• MEDIUM6.5Specific replication command with malformed oplog entries can crash secondaries
  >= 4.0.0, < 4.0.25, >= 4.2.0, < 4.2.14, >= 4.4.0, < 4.4.6
• MEDIUM6.5User may trigger invariant when allowed to send commands directly to shards
  >= 5.0.0, < 5.0.3
• MEDIUM6.5MongoDB Server (mongod) may crash in response to unexpected requests
  >= 5.0.0, < 5.0.7
• MEDIUM6.5mongodb - security update
  >= 4.0.0, < 4.0.19, >= 4.2.0, < 4.2.8, >= 4.4.0, < 4.4.0
• MEDIUM5.5MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text
  from 0, < 0.7.1
• MEDIUM5.4User may override a view's collation and gain unauthorized access to underlying data
  >= 5.0.0, < 5.0.31, >= 6.0.0, < 6.0.20, >= 7.0.0, < 7.0.14, >= 7.3.0, < 7.3.4
• MEDIUM5.4Race condition in privilege cache invalidation cycle
  >= 5.0.0, < 5.0.31, >= 6.0.0, < 6.0.24, >= 7.0.0, < 7.0.21, >= 8.0.0, < 8.0.5
• MEDIUM5.3MongoDB Server (mongod) may crash when generating ftdc
  >= 5.0.0, < 5.0.26, >= 6.0.0, < 6.0.15
• MEDIUM5.3"Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier.
  >= 6.0.0, < 6.0.16, >= 7.0.0, < 7.0.11, >= 7.3.0, < 7.3.3
• MEDIUM5.3Administrative action may disable enforcement of per-user IP whitelisting
  >= 3.6.0, < 3.6.18, >= 4.0.0, < 4.0.15, >= 4.2.0, < 4.2.3, >= 4.3.0, < 4.3.3
• MEDIUM5.3Server log entry spoofing via newline injection
  >= 3.6.0, < 3.6.20, >= 4.0.0, < 4.0.21, >= 4.2.0, < 4.2.10
• MEDIUM4.9Incomplete Redaction of Sensitive Information in MongoDB Server Logs
  >= 6.0.0, < 6.0.21, >= 7.0.0, < 7.0.18, >= 8.0.0, < 8.0.5
• —Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands
  >= 8.2.0, < 8.2.9, >= 8.3.0, < 8.3.2
• —Post-authentication CPU utilization DoS via $trim/$ltrim/$rtrim operators
  >= 7.0.0, < 7.0.34, >= 8.0.0, < 8.0.23, >= 8.2.0, < 8.2.9, >= 8.3.0, < 8.3.2
• —Schema validation log messages may not redact user data
  >= 7.0.0, < 7.0.34, >= 8.0.0, < 8.0.23, >= 8.2.0, < 8.2.9, >= 8.3.0, < 8.3.2
• —FlatBSON Duplicate Field Index Drift
  >= 5.0.0, < 5.0.33, >= 6.0.0, < 6.0.28, >= 7.0.0, < 7.0.34, >= 8.0.0, < 8.0.23, >= 8.2.0, < 8.2.9, >= 8.3.0, < 8.3.2
• —Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields
  >= 7.0.0, < 7.0.34, >= 8.0.0, < 8.0.23, >= 8.2.0, < 8.2.9, >= 8.3.0, < 8.3.2
• —Post-auth memory exhaustion via bitwise match expressions
  >= 7.0.0, < 7.0.34, >= 8.0.0, < 8.0.23, >= 8.2.0, < 8.2.9, >= 8.3.0, < 8.3.2
• —ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators
  >= 7.0.0, < 7.0.31, >= 8.0.0, < 8.0.20, >= 8.2.0, < 8.2.6, >= 8.3.0, < 8.3.1
• —Stack memory disclosure in filemd5 command
  >= 7.0.0, < 7.0.31, >= 8.0.0, < 8.0.20, >= 8.2.0, < 8.2.6, >= 8.3.0, < 8.3.1
• —Cross-Shard Failovers May Lead to Partial Transaction Commit in MongoDB Server
  >= 7.0.0, < 7.0.26, >= 8.0.0, < 8.0.16, >= 8.2.0, < 8.2.2, >= 8.3.0, < 8.3.1
• —Post-auth null pointer dereference when aggregating against a view with empty search pipeline
  >= 8.2.0, < 8.2.7
• —Flaw in the updateUser Command May Allow Unauthorized Configuration Change
  >= 7.0.0, < 7.0.32, >= 8.0.0, < 8.0.21, >= 8.2.0, < 8.2.7
• —MD5 checksum creation may cause availability loss
  >= 7.0.0, < 7.0.32, >= 8.0.0, < 8.0.21, >= 8.1.0, < 8.2.7
• —Users could trigger a crash of mongod primaries during promotion to sharded
  >= 7.0.0, < 7.0.31, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.2
• —Memory safety issues in slot-based execution hash table spill
  >= 7.0.0, < 7.0.31, >= 8.0.0, < 8.0.20, >= 8.2.0, < 8.2.6
• —An unsafe cast in the MongoDB query planner can result in a segmentation fault.
  >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.4
• —Invalid $geoNear index hint may cause server crash
  >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.13
• —profile command may permit unauthorized configuration
  >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.4
• —An authorized user may disable the MongoDB server by issuing a certain type of complex query due to boolean expression simplification
  >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.4
• —Mongod can run out of stack memory when expressions create deeply nested documents
  >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.2
• —Connections received from the proxy port may not count towards total accepted connections
  >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.4
• —MongoDB Server may crash when inserting large documents
  >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.4
• —Malformed KMIP response may result in access violation
  >= 6.0.0, < 7.0.22, >= 8.0.0, < 8.0.10
• —MongoDB may be susceptible to Invariant Failure due to batched delete
  >= 7.0.0, < 7.0.26, >= 8.0.0, < 8.0.13, >= 8.1.0, < 8.1.2
• —MongoDB Server may allow queries to be terminated by unauthorized users
  >= 7.0.0, < 7.0.26, >= 8.0.0, < 8.0.14
• —Time-series operations may cause internal BSON size limit to be exceed
  >= 7.0.0, < 7.0.26, >= 8.0.0, < 8.0.16, >= 8.2.0, < 8.2.1
• —Improper Certificate Validation May Allow Successful TLS Handshaking Despite Invalid Extended Key Usage Fields in MongoDB Server
  >= 7.0.0, < 7.0.26, >= 8.0.0, < 8.0.16, >= 8.2.0, < 8.2.2