#VU48658 Improper Neutralization of Null Byte or NUL Character in MongoDB - CVE-2020-7928
Published: November 23, 2020 / Updated: November 25, 2020
Vulnerability identifier: #VU48658
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-7928
CWE-ID: CWE-158
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
MongoDB
MongoDB
Software vendor:
MongoDB, Inc.
MongoDB, Inc.
Description
The vulnerability allows a remote attacker to gain access to sensitive information on the system.
The vulnerability exists due to the affected software does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. A remote authenticated attacker can trigger a read overrun and access arbitrary memory by issuing specially crafted queries.
Remediation
Install updates from vendor's website.