Date: Mon, 6 Oct 2025 15:44:54 GMT From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 7ec6fda16269 - main - security/vuxml: Add mongodb vulnerabilities Message-ID: <202510061544.596FisvI081938@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=7ec6fda162694d1ef177aef2cc8f88174d4c8716 commit 7ec6fda162694d1ef177aef2cc8f88174d4c8716 Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2025-10-06 15:43:39 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2025-10-06 15:43:39 +0000 security/vuxml: Add mongodb vulnerabilities * CVE-2025-10061 * CVE-2025-10060 * CVE-2025-10059 * CVE-2025-7259 --- security/vuxml/vuln/2025.xml | 146 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 146 insertions(+) diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index cec42b929a0c..1990b05803ef 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,149 @@ + <vuln vid="a5395e02-a2ca-11f0-8402-b42e991fc52e"> + <topic>mongodb -- Malformed $group Query May Cause MongoDB Server to Crash</topic> + <affects> + <package> + <name>mongodb60</name> + <range><lt>6.0.25</lt></range> + </package> + <package> + <name>mongodb70</name> + <range><lt>7.0.22</lt></range> + </package> + <package> + <name>mongodb80</name> + <range><lt>8.1.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-99616">; + <p>An authorized user can cause a crash in the MongoDB Server through + a specially crafted $group query. This vulnerability is related + to the incorrect handling of certain accumulator functions when + additional parameters are specified within the $group operation. + This vulnerability could lead to denial of service if triggered + repeatedly. This issue affects MongoDB Server v6.0 versions prior + to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22, MongoDB + Server v8.0 versions prior to 8.0.12 and MongoDB Server v8.1 versions + prior to 8.1.2</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10061</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10061</url>; + </references> + <dates> + <discovery>2025-09-05</discovery> + <entry>2025-10-06</entry> + </dates> + </vuln> + + <vuln vid="6d16b410-a2ca-11f0-8402-b42e991fc52e"> + <topic>mongodb -- MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation</topic> + <affects> + <package> + <name>mongodb60</name> + <range><lt>6.0.25</lt></range> + </package> + <package> + <name>mongodb70</name> + <range><lt>7.0.22</lt></range> + </package> + <package> + <name>mongodb80</name> + <range><lt>8.0.12</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-95524">; + <p>MongoDB Server may allow upsert operations retried + within a transaction to violate unique index constraints, + potentially causing an invariant failure and server crash + during commit. This issue may be triggered by improper + WriteUnitOfWork state management.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10060</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10060</url>; + </references> + <dates> + <discovery>2025-09-05</discovery> + <entry>2025-10-06</entry> + </dates> + </vuln> + + <vuln vid="4329e3bd-a2ca-11f0-8402-b42e991fc52e"> + <topic>mongodb -- MongoDB Server router will crash when incorrect lsid is set on a sharded query</topic> + <affects> + <package> + <name>mongodb60</name> + <range><lt>6.0.24</lt></range> + </package> + <package> + <name>mongodb70</name> + <range><lt>7.0.18</lt></range> + </package> + <package> + <name>mongodb80</name> + <range><lt>8.0.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-100901">; + <p>An improper setting of the lsid field on any sharded query can cause + a crash in MongoDB routers. This issue occurs when a generic + argument (lsid) is provided in a case when it is not applicable.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10059</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10059</url>; + </references> + <dates> + <discovery>2025-09-05</discovery> + <entry>2025-10-06</entry> + </dates> + </vuln> + + <vuln vid="92880bca-a2c9-11f0-8402-b42e991fc52e"> + <topic>mongodb -- Certain Queries May Cause MongoDB Server to Crash</topic> + <affects> + <package> + <name>mongodb80</name> + <range><lt>8.1.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-102693">; + <p>An authorized user can issue queries with duplicate _id fields, + that leads to unexpected behavior in MongoDB Server, which may + result to crash. This issue can only be triggered by authorized + users and cause Denial of Service. This issue affects MongoDB + Server v8.1 version 8.1.0.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-7259</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-7259</url>; + </references> + <dates> + <discovery>2025-07-07</discovery> + <entry>2025-10-06</entry> + </dates> + </vuln> + <vuln vid="a9dc3c61-a20f-11f0-91d8-b42e991fc52e"> <topic>mongodb -- MongoDB Server access to non-initialized memory</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510061544.596FisvI081938>