Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17521

improve createIndex validation of empty name

    XMLWordPrintable

    Details

    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Completed:

      Description

      Issue Status as of Mar 27, 2015

      ISSUE SUMMARY
      MongoDB is susceptible to a denial of service (crash) due to failure to check for missing value.

      When running with authentication, an attacker needs to be successfully authenticated into MongoDB and have write access to a database to be able to exploit this vulnerability.

      USER IMPACT
      Remote attackers may cause a denial of service (crash).

      WORKAROUNDS
      N/A

      AFFECTED VERSIONS
      MongoDB 3.0.0 is affected by this issue.

      FIX VERSION
      The fix is included in the 3.0.1 production releases.

      RESOLUTION DETAILS
      Improve validation of affected field.

      ADDITIONAL INFORMATION
      This vulnerability was discovered by Xiaopeng Zhang of Fortinet's FortiGuard Labs.

      CVE-2015-2705 has been designated for this issue. We rate this issue with a CVSS of 6.8

      Users may reduce their exposure by limiting network access to the server. See the MongoDB Security documentation page for more information on recommended security practices for your MongoDB deployment.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: