Vulnerability Details : CVE-2013-3969
The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object.
Vulnerability category: Execute codeDenial of service
Products affected by CVE-2013-3969
- cpe:2.3:a:mongodb:mongodb:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.4.4:*:*:*:*:*:*:*
Threat overview for CVE-2013-3969
Top countries where our scanners detected CVE-2013-3969
Top open port discovered on systems with this issue
27017
IPs affected by CVE-2013-3969 48
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2013-3969!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2013-3969
6.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 94 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-3969
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
CWE ids for CVE-2013-3969
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-3969
-
http://blog.scrt.ch/2013/06/04/mongodb-rce-by-databasespraying/
mongodb – RCE by databaseSpraying – Sec Team Blog
-
http://www.mongodb.org/about/alerts/
MongoDB Alerts | MongoDBVendor Advisory
-
http://www.openwall.com/lists/oss-security/2013/07/30/10
oss-security - Re: CVE Request - MongoDB <=2.4.4 uninitialized object
-
https://jira.mongodb.org/browse/SERVER-9878
[SERVER-9878] Add safety checks to V8 C++ bindings - MongoDB
Jump to