Description
The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by SCRT Security · textremotemultiple
https://www.exploit-db.com/exploits/38669
References (5)
Core 5
Core References
Various Sources x_refsource_confirm
https://jira.mongodb.org/browse/SERVER-9878
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/07/30/10
Various Sources x_refsource_misc
http://blog.scrt.ch/2013/06/04/mongodb-rce-by-databasespraying/
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/54170
Vendor Advisory x_refsource_confirm
http://www.mongodb.org/about/alerts/
Scores
EPSS
0.0824
EPSS Percentile
92.3%
Details
CWE
CWE-399
Status
published
Products (5)
mongodb/mongodb
2.4.0
mongodb/mongodb
2.4.1
mongodb/mongodb
2.4.2
mongodb/mongodb
2.4.3
mongodb/mongodb
2.4.4
Published
Oct 01, 2013
Tracked Since
Feb 18, 2026