CVE-2020-7923 — mongodb - security update

Description

A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19.

How to fix CVE-2020-7923

To remediate CVE-2020-7923, upgrade the affected package to a fixed version below.

—upgrade to 4.0.19 or later
—upgrade to 1:3.2.11-2+deb9u2 or later

Is CVE-2020-7923 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 4.0.0, < 4.0.19, >= 4.2.0, < 4.2.8, >= 4.4.0, < 4.4.0
from 0, < 1:3.2.11-2+deb9u2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (2)

WEBjira.mongodb.org/browse/SERVER-47773
WEBnvd.nist.gov/vuln/detail/CVE-2020-7923