FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
d0be8e1f-b19a-11ea-94aa-b827eb2f57d4	MongoDB -- Ensure RoleGraph can serialize authentication restrictions to BSON reports: Improper serialization of MongoDB Server's internal authorization state permits a user with valid credentials to bypass IP source address protection mechanisms following administrative action. Credit Discovered by Tony Yesudas. Discovery 2020-01-10 Entry 2020-06-29 mongodb36 lt 3.6.18 mongodb40 lt 4.0.15 mongodb42 lt 4.2.3 CVE-2020-7921
fd2e0ca8-e3ae-11e9-8af7-08002720423d	mongodb -- Bump Windows package dependencies Rich Mirch reports: An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utility. Discovery 2019-08-06 Entry 2019-09-30 mongodb34 lt 3.4.22 mongodb36 lt 3.6.14 mongodb40 lt 4.0.11 CVE-2019-2390 https://jira.mongodb.org/browse/SERVER-42233
273c6c43-e3ad-11e9-8af7-08002720423d	mongodb -- Our init scripts check /proc/[pid]/stat should validate that `(${procname})` is the process' command name. Sicheng Liu of Beijing DBSEC Technology Co., Ltd reports: Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. Discovery 2019-08-06 Entry 2019-09-30 mongodb34 lt 3.4.22 mongodb36 lt 3.6.14 mongodb40 lt 4.0.11 CVE-2019-2389 https://jira.mongodb.org/browse/SERVER-40563

VuXML ID

Description

d0be8e1f-b19a-11ea-94aa-b827eb2f57d4

MongoDB -- Ensure RoleGraph can serialize authentication restrictions to BSON

reports:

Improper serialization of MongoDB Server's internal authorization state permits a user with valid credentials to bypass IP source address protection mechanisms following administrative action.

Credit

Discovered by Tony Yesudas.

Discovery 2020-01-10
Entry 2020-06-29
mongodb36

lt 3.6.18

mongodb40

lt 4.0.15

mongodb42

lt 4.2.3

CVE-2020-7921

fd2e0ca8-e3ae-11e9-8af7-08002720423d

mongodb -- Bump Windows package dependencies

Rich Mirch reports:

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utility.

Discovery 2019-08-06
Entry 2019-09-30
mongodb34

lt 3.4.22

mongodb36

lt 3.6.14

mongodb40

lt 4.0.11

CVE-2019-2390
https://jira.mongodb.org/browse/SERVER-42233

273c6c43-e3ad-11e9-8af7-08002720423d

mongodb -- Our init scripts check /proc/[pid]/stat should validate that `(${procname})` is the process' command name.

Sicheng Liu of Beijing DBSEC Technology Co., Ltd reports:

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init.

Discovery 2019-08-06
Entry 2019-09-30
mongodb34

lt 3.4.22

mongodb36

lt 3.6.14

mongodb40

lt 4.0.11

CVE-2019-2389
https://jira.mongodb.org/browse/SERVER-40563