Main Vulnerability Database Vulnerabilities #VU39179

Resource exhaustion in MongoDB - CVE-2016-3104

Published: April 14, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39179

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-3104

CWE-ID: CWE-400

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: MongoDB, Inc.

Affected software:
MongoDB

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database.

How to mitigate CVE-2016-3104

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/94929
https://bugzilla.redhat.com/show_bug.cgi?id=1324496
https://jira.mongodb.org/browse/SERVER-24378

Resource exhaustion in MongoDB - CVE-2016-3104

Detailed vulnerability description

How to mitigate CVE-2016-3104

Sources

Please verify you're human