Sara Golemon

**Name of the Vulnerable Software and Affected Versions** MongoDB Server versions prior to and including v5.0.6 **Description** An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the `$external` database. This may result in mongod denial of service or server crash. **Recommendations** For versions prior to and including v5.0.6, update to a version later than v5.0.6 to resolve the issue. As a temporary workaround, consider restricting access to the `$external` database to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MongoDB Server versions prior to and including 5.0.3 MongoDB Server versions prior to and including 4.4.9 MongoDB Server versions prior to and including 4.2.16 MongoDB Server versions prior to and including 4.0.28 **Description** An authenticated user without specific authorizations may repeatedly invoke the features command at a high volume, leading to resource depletion or high lock contention. This may result in denial of service and, in rare cases, could result in id field collisions. **Recommendations** For MongoDB Server versions prior to and including 5.0.3, update to a version later than 5.0.3 to resolve the issue. For MongoDB Server versions prior to and including 4.4.9, update to a version later than 4.4.9 to resolve the issue. For MongoDB Server versions prior to and including 4.2.16, update to a version later than 4.2.16 to resolve the issue. For MongoDB Server versions prior to and including 4.0.28, update to a version later than 4.0.28 to resolve the issue. As a temporary workaround, consider restricting access to the features command to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MongoDB Server versions prior to 3.6.20 MongoDB Server versions prior to 4.0.21 MongoDB Server versions prior to 4.2.10 **Description** The issue is related to a lack of output encoding or escaping in MongoDB, allowing a remote attacker to impact data integrity. Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. **Recommendations** For MongoDB Server versions prior to 3.6.20, update to version 3.6.20 or later. For MongoDB Server versions prior to 4.0.21, update to version 4.0.21 or later. For MongoDB Server versions prior to 4.2.10, update to version 4.2.10 or later.