CRITICAL🇵🇱 Wersja polska

CVE-2017-15535

CVSS 9.1v3.0pub. 2017-11-01upd. 2026-05-13

MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory.

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
  • Mongodb

    APP
    Mongodb
    3.4.0 – 3.4.10 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-14847HIGH8.7⚠ KEVten sam produkt

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by ...

CVE-2026-11933HIGH8.7ten sam produkt

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON d...

CVE-2026-9741HIGH7.1ten sam produkt

A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Cli...

CVE-2026-9740HIGH8.7ten sam produkt

A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod p...

CVE-2026-9742HIGH8.2ten sam produkt

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" param...