{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-10-31T00:00:00", "descriptions": [{"lang": "en", "value": "MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-08T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "101689", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101689"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jira.mongodb.org/browse/SERVER-31273"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-15535", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "101689", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101689"}, {"name": "https://jira.mongodb.org/browse/SERVER-31273", "refsource": "CONFIRM", "url": "https://jira.mongodb.org/browse/SERVER-31273"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:57:26.295Z"}, "title": "CVE Program Container", "references": [{"name": "101689", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/101689"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jira.mongodb.org/browse/SERVER-31273"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-15535", "datePublished": "2017-11-01T01:00:00", "dateReserved": "2017-10-17T00:00:00", "dateUpdated": "2024-08-05T19:57:26.295Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC15E8B4-0238-40AE-9BF2-C18DEB922790", "versionEndExcluding": "3.4.10", "versionStartIncluding": "3.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory."}, {"lang": "es", "value": "MongoDB, en versiones 3.4.x anteriores a la 3.4.10, y desarrollos 3.5.x, tiene un ajuste de configuraci\u00f3n deshabilitado por defecto, networkMessageCompressors (tambi\u00e9n conocido como wire protocol compression), que expone una vulnerabilidad cuando se habilita que podr\u00eda ser explotada por atacantes maliciosos con el fin de provocar una denegaci\u00f3n de servicio o modificar memoria."}], "id": "CVE-2017-15535", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-01T01:29:00.637", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101689"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/SERVER-31273"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101689"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/SERVER-31273"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mongodb: Invalid wire protocol compression", "id": "1516183", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1516183"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H", "status": "draft"}, "details": ["MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory.", "A memory corruption flaw was found in the way MongoDB handled wire protocol compression for intra-cluster communication. A privileged network attacker could potentially use this flaw to crash the MongoDB server under certain circumstances."], "name": "CVE-2017-15535", "package_state": [{"cpe": "cpe:/a:redhat:openstack:6", "fix_state": "Not affected", "package_name": "mongodb", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)"}, {"cpe": "cpe:/a:redhat:openstack:7", "fix_state": "Not affected", "package_name": "mongodb", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Not affected", "package_name": "mongodb", "product_name": "Red Hat Enterprise MRG 2"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "mongodb", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:11", "fix_state": "Not affected", "package_name": "mongodb", "product_name": "Red Hat OpenStack Platform 11 (Ocata)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Not affected", "package_name": "mongodb", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Not affected", "package_name": "mongodb", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-mongodb30upg-mongodb", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-mongodb32-mongodb", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-mongodb34-mongodb", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhscon:2", "fix_state": "Not affected", "package_name": "mongodb", "product_name": "Red Hat Storage Console 2"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Not affected", "package_name": "mongodb", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2017-09-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-15535\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-15535"], "statement": "Satellite 6 uses a vulnerable version of MongoDB. However, it does not enable wire protocol compression, and thus the vulnerability can not be triggered. A fix may be provided in a future release via RHSCL repository.", "threat_severity": "Moderate"}