====================================================== Name: CVE-2013-3969 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3969 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130606 Category: Reference: MLIST:[oss-security] 20130730 Re: CVE Request - MongoDB <=2.4.4 uninitialized object Reference: URL:http://www.openwall.com/lists/oss-security/2013/07/30/10 Reference: MISC:http://blog.scrt.ch/2013/06/04/mongodb-rce-by-databasespraying/ Reference: CONFIRM:http://www.mongodb.org/about/alerts/ Reference: CONFIRM:https://jira.mongodb.org/browse/SERVER-9878 Reference: SECUNIA:54170 Reference: URL:http://secunia.com/advisories/54170 The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object. Reproducible: Steps to Reproduce:
We have 2.2.2 in Mageia 3 and 2.4.6 in Cauldron.
Status: NEW => RESOLVEDResolution: (none) => INVALIDSummary: CVE-2013-3969: MongoDB <=2.4.4 uninitialized object => MongoDB <=2.4.4 uninitialized object (CVE-2013-3969)