CVE-2016-3104

NameCVE-2016-3104
Descriptionmongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mongodb (PTS)jessie1:2.4.10-5+deb8u1vulnerable
stretch1:3.2.11-2+deb9u1fixed
sid1:3.4.18-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mongodbsource(unstable)1:3.2.11-1

Notes

[jessie] - mongodb <no-dsa> (Minor issue)
[wheezy] - mongodb <no-dsa> (Minor issue)
https://jira.mongodb.org/browse/SERVER-24378
Marking as fixed with the first 3.x based version in unstable
This issue though affect only 2.4 (and possibly older), or 2.6
installations, but only in circumstances where they first had a
MongoDB 2.4 installation with authentication enabled, upgraded
to 2.6, and did not complete a full upgrade

Search for package or bug name: Reporting problems