Recherche : [MongoDB]

Pre-Auth Flaw in MongoDB Server Allows Attackers to Cause DoS https://gbhackers.com/pre-auth-flaw-in-mongodb-server/

27/06/2025 15:07:47

A critical pre-authentication vulnerability (CVE-2025-6709) in MongoDB Server enables unauthenticated attackers to trigger denial-of-service (DoS) conditions by exploiting improper input validation in OIDC authentication.

The flaw allows malicious actors to crash database servers by sending specially crafted JSON payloads containing specific date values, causing invariant failures and server crashes.

This vulnerability affects MongoDB Server versions before 7.0.17, 8.0.5, and 6.0.21 (with authentication required for 6.x exploitation).

Vulnerability Analysis
Attackers can reproduce the exploit using MongoDB’s mongo shell to send malicious JSON payloads targeting the OIDC authentication mechanism.

The server fails to properly validate date values in JSON input, leading to:

Complete server crashes without authentication in v7.0 and v8.0 deployments
Post-authentication DoS in v6.0 environments
Critical disruption of database operations through invariant failures
The vulnerability carries a CVSS score of 7.5 (High) due to its network-based attack vector, low attack complexity, and high availability impact.

MongoDB has classified this as CWE-20 (Improper Input Validation).
Mitigation and Updates

Administrators should immediately upgrade to patched versions:

MongoDB v6.0 → 6.0.21 or later
MongoDB v7.0 → 7.0.17 or later
MongoDB v8.0 → 8.0.5 or later
For environments where immediate patching isn’t feasible, consider disabling OIDC authentication until updates are applied.

Andrew Tate’s The Real World exposes 22M user messages https://cybernews.com/security/tates-real-world-exposes-user-messages/?ref=news.risky.biz

20/05/2024 10:06:10

The Real World, a learning platform from the controversial social media personality Andrew Tate, has leaked nearly a million users and over 22 million messages.

Hundreds of thousands of exposed users, millions of messages, and session tokens – that’s the reality that The Real World finds itself in.

The Cybernews research team has uncovered an exposed MongoDB instance with 88GB from one of The Real World’s servers.

MongoDB says customer data was exposed in a cyberattack https://www.bleepingcomputer.com/news/security/mongodb-says-customer-data-was-exposed-in-a-cyberattack/

17/12/2023 00:12:05

MongoDB is warning that its corporate systems were breached and that customer data was exposed in a cyberattack that was detected by the company earlier this week.

Liens par page

Filtres