Descriptionmongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mongodb (PTS)stretch1:3.2.11-2+deb9u1fixed
stretch (security)1:3.2.11-2+deb9u2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[jessie] - mongodb <no-dsa> (Minor issue)
[wheezy] - mongodb <no-dsa> (Minor issue)
Marking as fixed with the first 3.x based version in unstable
This issue though affect only 2.4 (and possibly older), or 2.6
installations, but only in circumstances where they first had a
MongoDB 2.4 installation with authentication enabled, upgraded
to 2.6, and did not complete a full upgrade

Search for package or bug name: Reporting problems