[SERVER-38275] Handle explains without namespaces Created: 27/Nov/18  Updated: 29/Oct/23  Resolved: 09/Jan/19

Status: Closed
Project: Core Server
Component/s: Querying
Affects Version/s: None
Fix Version/s: 3.6.11, 4.0.6, 4.1.7

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Ian Boros
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.0, v3.6, v3.4
Sprint: Query 2018-12-31, Query 2019-01-14
Participants:

 Description   
CVE-2018-250045

Title: Invariant failure when explaining a find with a UUID
CVE ID: CVE-2018-25004
Description
A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.6; MongoDB Server v3.6 versions prior to 3.6.11.

CVSS score:
This issue's CVSS:3.1 severity is scored at 4.8 using the following scoring metrics:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:F/RL:U/RC:C

Affected versions
MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.6; MongoDB Server v3.6 versions prior to 3.6.11.

Underlying operating systems affected: ALL

How the issue was reported: Internally

CWE: CWE-20: Improper Input Validation



 Comments   
Comment by Githook User [ 22/Jan/19 ]

Author:

{'email': 'ian.boros@10gen.com', 'name': 'Ian Boros'}

Message: SERVER-38275 ban explain with UUID
Branch: v3.6
https://github.com/mongodb/mongo/commit/5c7c6729c37514760fd34da462b6961a2e385417

Comment by Githook User [ 11/Jan/19 ]

Author:

{'email': 'ian.boros@10gen.com', 'name': 'Ian Boros'}

Message: SERVER-38275 ban explain with UUID
Branch: v4.0
https://github.com/mongodb/mongo/commit/d315547544d7146b93a8e6e94cc4b88cd0d19c95

Comment by Githook User [ 09/Jan/19 ]

Author:

{'email': 'ian.boros@10gen.com', 'name': 'Ian Boros'}

Message: SERVER-38275 ban find explain with UUID
Branch: master
https://github.com/mongodb/mongo/commit/722f06f3217c029ef9c50062c8cc775966fd7ead

Generated at Thu Feb 08 04:48:28 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.