Home / mailingsPDF  

[USN-8064-1] MongoDB vulnerabilities

Posted on 25 February 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8064-1
February 25, 2026

mongodb vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in MongoDB.

Software Description:
- mongodb: object/document-oriented database

Details:

Eliot Horowitz discovered that MongoDB may fail to validate some instances
of malformed BSON. A remote attacker could possibly use this issue to cause
MongoDB to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS. (CVE-2015-1609)

It was discovered that MongoDB read raw permissions from .dbshell history
files. A local attacker could possibly use this issue to obtain sensitive
information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04
LTS. (CVE-2016-6494)

Travis Brown discovered that MongoDB may be unable to parse specially
crafted UTF-8 strings in BSON requests. A remote attacker could possibly
use this issue to cause MongoDB to crash, resulting in a denial of service.
This issue only affected Ubuntu 18.04 LTS. (CVE-2018-20802)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
mongodb 1:3.6.3-0ubuntu1.4+esm1
Available with Ubuntu Pro
mongodb-server 1:3.6.3-0ubuntu1.4+esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
mongodb 1:2.6.10-0ubuntu1+esm2
Available with Ubuntu Pro
mongodb-server 1:2.6.10-0ubuntu1+esm2
Available with Ubuntu Pro

Ubuntu 14.04 LTS
mongodb 1:2.4.9-1ubuntu2+esm2
Available with Ubuntu Pro
mongodb-server 1:2.4.9-1ubuntu2+esm2
Available with Ubuntu Pro

After a standard system update you need to restart MongoDB to make all the
necessary changes.

References:
https://ubuntu.com/security/notices/USN-8064-1
CVE-2018-20802

--===============8734219465096925650==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :