CVE-2020-7929 - OpenCVE

A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mongodb	Mongodb

Configuration 1 [-]

OR	cpe:2.3:a:mongodb:mongodb::::::::
	cpe:2.3:a:mongodb:mongodb::::::::

No data.

References

Link	Providers
https://jira.mongodb.org/browse/SERVER-51083
https://nvd.nist.gov/vuln/detail/CVE-2020-7929
https://www.cve.org/CVERecord?id=CVE-2020-7929

History

Mon, 16 Sep 2024 20:00:00 +0000

Type	Values Removed	Values Added
Description	A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.	A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.

MITRE

Status: PUBLISHED

Assigner: mongodb

Published: 2021-03-01T16:05:17.498045Z

Updated: 2024-09-16T19:46:52.238Z

Reserved: 2020-01-23T00:00:00

Link: CVE-2020-7929

Vulnrichment

Updated: 2024-08-04T09:48:24.522Z

NVD

Status : Modified

Published: 2021-03-01T16:15:12.747

Modified: 2024-09-16T20:15:36.050

Link: CVE-2020-7929

Redhat

Severity : Moderate

Publid Date: 2021-03-01T00:00:00Z

Links: CVE-2020-7929 - Bugzilla

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Server", "vendor": "MongoDB Inc.", "versions": [{"lessThan": "3.6.21", "status": "affected", "version": "3.6", "versionType": "custom"}, {"lessThan": "4.0.20", "status": "affected", "version": "4.0", "versionType": "custom"}]}], "datePublic": "2021-02-26T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.</p>"}], "value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-185", "description": "CWE-185 Incorrect Regular Expression", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T15:49:00.951Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.mongodb.org/browse/SERVER-51083"}], "source": {"discovery": "EXTERNAL"}, "title": "Specially crafted regex query can cause DoS", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@mongodb.com", "DATE_PUBLIC": "2021-02-26T17:00:00.000Z", "ID": "CVE-2020-7929", "STATE": "PUBLIC", "TITLE": "Specially crafted regex query can cause DoS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MongoDB Server", "version": {"version_data": [{"version_affected": "<", "version_name": "3.6", "version_value": "3.6.21"}, {"version_affected": "<", "version_name": "4.0", "version_value": "4.0.20"}]}}]}, "vendor_name": "MongoDB Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-185 Incorrect Regular Expression"}]}]}, "references": {"reference_data": [{"name": "https://jira.mongodb.org/browse/SERVER-51083", "refsource": "MISC", "url": "https://jira.mongodb.org/browse/SERVER-51083"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:24.522Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.mongodb.org/browse/SERVER-51083"}]}, {"affected": [{"vendor": "mongodb", "product": "mongodb", "cpes": ["cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.6", "status": "affected", "lessThan": "3.6.21", "versionType": "custom"}, {"version": "4.0", "status": "affected", "lessThan": "4.0.20", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-01-23T18:12:01.677275Z", "id": "CVE-2020-7929", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T17:22:54.094Z"}}]}, "cveMetadata": {"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "assignerShortName": "mongodb", "cveId": "CVE-2020-7929", "datePublished": "2021-03-01T16:05:17.498045Z", "dateReserved": "2020-01-23T00:00:00", "dateUpdated": "2024-09-16T19:46:52.238Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://jira.mongodb.org/browse/SERVER-51083", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:24.522Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-7929", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-23T18:12:01.677275Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*"], "vendor": "mongodb", "product": "mongodb", "versions": [{"status": "affected", "version": "3.6", "lessThan": "3.6.21", "versionType": "custom"}, {"status": "affected", "version": "4.0", "lessThan": "4.0.20", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T17:22:49.045Z"}}], "cna": {"title": "Specially crafted regex query can cause DoS", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MongoDB Inc.", "product": "MongoDB Server", "versions": [{"status": "affected", "version": "3.6", "lessThan": "3.6.21", "versionType": "custom"}, {"status": "affected", "version": "4.0", "lessThan": "4.0.20", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2021-02-26T00:00:00.000Z", "references": [{"url": "https://jira.mongodb.org/browse/SERVER-51083", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.", "supportingMedia": [{"type": "text/html", "value": "<p>A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-185", "description": "CWE-185 Incorrect Regular Expression"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T15:49:00.951Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "3.6", "version_value": "3.6.21", "version_affected": "<"}, {"version_name": "4.0", "version_value": "4.0.20", "version_affected": "<"}]}, "product_name": "MongoDB Server"}]}, "vendor_name": "MongoDB Inc."}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://jira.mongodb.org/browse/SERVER-51083", "name": "https://jira.mongodb.org/browse/SERVER-51083", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-185 Incorrect Regular Expression"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-7929", "STATE": "PUBLIC", "TITLE": "Specially crafted regex query can cause DoS", "ASSIGNER": "cna@mongodb.com", "DATE_PUBLIC": "2021-02-26T17:00:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2020-7929", "state": "PUBLISHED", "dateUpdated": "2024-09-16T19:46:52.238Z", "dateReserved": "2020-01-23T00:00:00", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "datePublished": "2021-03-01T16:05:17.498045Z", "assignerShortName": "mongodb"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "51FC089F-4BF1-4621-A981-60BF88B15B56", "versionEndExcluding": "3.6.21", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "B61A2FF1-19F3-43A8-8163-27E4F1BC267A", "versionEndExcluding": "4.0.20", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20."}, {"lang": "es", "value": "Un usuario autorizado para llevar a cabo consultas a la base de datos puede desencadenar una denegaci\u00f3n de servicio cuando se emite una consulta especialmente dise\u00f1ada que contenga un tipo de expresi\u00f3n regular. Este problema afecta a: MongoDB Inc. MongoDB Server versiones v3.6 anteriores a 3.6.21 y MongoDB Server versiones v4.0 anteriores a 4.0.20"}], "id": "CVE-2020-7929", "lastModified": "2024-09-16T20:15:36.050", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2021-03-01T16:15:12.747", "references": [{"source": "cna@mongodb.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/SERVER-51083"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-185"}], "source": "cna@mongodb.com", "type": "Secondary"}]}