MongoDB < 2.3.2 BSON Object Length Handling Memory Disclosure

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote database server is affected by an information disclosure
vulnerability.

Description :

The version of the remote MongoDB server is a version prior to 2.3.2.
It is, therefore, potentially affected by an information disclosure
vulnerability. An error exists related to handling BSON (Binary
JavaScript Object Notation) objects having incorrect length that could
allow possible disclosure of information held in memory.

See also :

http://www.mongodb.org/about/alerts/#security-related
http://www.nessus.org/u?4cbacf08
https://jira.mongodb.org/browse/SERVER-7769
http://article.gmane.org/gmane.comp.security.oss.general/11822
http://blog.ptsecurity.com/2012/11/attacking-mongodb_26.html

Solution :

Upgrade to MongoDB 2.3.2 / 2.4.0 or later. Alternatively, use the
'--objcheck' command line switch to force object checking.

Note that version 2.3.2 is a development version and is not recommended
for production use.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVSS Temporal Score : 4.0
(CVSS2#E:ND/RL:U/RC:ND)
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 72334 ()

Bugtraq ID: 64687

CVE ID: CVE-2012-6619

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial