ID CVE-2017-15535
Summary MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory.
References
Vulnerable Configurations
  • MongoDB 3.4.0
    cpe:2.3:a:mongodb:mongodb:3.4.0
  • MongoDB 3.4.1
    cpe:2.3:a:mongodb:mongodb:3.4.1
  • MongoDB 3.4.2
    cpe:2.3:a:mongodb:mongodb:3.4.2
  • MongoDB 3.4.3
    cpe:2.3:a:mongodb:mongodb:3.4.3
  • MongoDB 3.4.4
    cpe:2.3:a:mongodb:mongodb:3.4.4
  • MongoDB 3.4.5
    cpe:2.3:a:mongodb:mongodb:3.4.5
  • MongoDB 3.4.6
    cpe:2.3:a:mongodb:mongodb:3.4.6
  • MongoDB 3.4.7
    cpe:2.3:a:mongodb:mongodb:3.4.7
  • MongoDB 3.4.9
    cpe:2.3:a:mongodb:mongodb:3.4.9
CVSS
Base: 6.4
Impact:
Exploitability:
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1275.NASL
    description This update for mongodb 3.4.10 fixes the following issues : Security issues fixed : - CVE-2017-15535: MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory. (boo#1065956) Bug fixes : - See release-notes for 3.4.4 - 3.4.10 changes. - https://docs.mongodb.com/manual/release-notes/3.4-changelog/
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 104614
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104614
    title openSUSE Security Update : mongodb (openSUSE-2017-1275)
  • NASL family Databases
    NASL id MONGODB_3_6_0-RC0.NASL
    description The version of the remote MongoDB server is 3.4.x prior to 3.4.10 / 3.5.x prior to 3.6.0-rc0. It is, therefore, affected by a denial of service vulnerability in mongod networkMessageCompressors due to an implementation error. A remote, unauthenticated attacker can exploit this, to cause a denial of service or to modify server memory. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-22
    modified 2019-02-21
    plugin id 122363
    published 2019-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122363
    title MongoDB 3.4.x < 3.4.10 / 3.5.x < 3.6.0-rc0 mongod
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0052.NASL
    description An update of [rsync,python2,procmail,libvirt,linux,mongodb,openssh,binutils,glibc] packages for photonOS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111901
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111901
    title Photon OS 1.0: Binutils / Glibc / Linux / Mongodb / Openssh / Procmail / Python2 / Rsync PHSA-2017-0052 (deprecated)
refmap via4
bid 101689
confirm https://jira.mongodb.org/browse/SERVER-31273
Last major update 31-10-2017 - 21:29
Published 31-10-2017 - 21:29
Last modified 22-11-2017 - 16:39
Back to Top