An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.
The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mongodb | Mongodb | 3.4.0 (including) | 3.4.24 (excluding) |
| Mongodb | Mongodb | 3.6.0 (including) | 3.6.15 (excluding) |
| Mongodb | Mongodb | 4.0.0 (including) | 4.0.13 (excluding) |
| Mongodb | Mongodb | 4.2.0 (including) | 4.2.1 (excluding) |
| Mongodb | Ubuntu | bionic | * |
| Mongodb | Ubuntu | focal | * |
| Mongodb | Ubuntu | trusty | * |
| Mongodb | Ubuntu | upstream | * |
Some products use signed integers or floats even when their values are only expected to be positive or 0. An input validation check might assume that the value is positive, and only check for the maximum value. If the value is negative, but the code assumes that the value is positive, this can produce an error. The error may have security consequences if the negative value is used for memory allocation, array access, buffer access, etc. Ultimately, the error could lead to a buffer overflow or other type of memory corruption. The use of a negative number in a positive-only context could have security implications for other types of resources. For example, a shopping cart might check that the user is not requesting more than 10 items, but a request for -3 items could cause the application to calculate a negative price and credit the attacker’s account.