| Name | CVE-2016-3104 |
| Description | mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| mongodb (PTS) | jessie | 1:2.4.10-5+deb8u1 | vulnerable |
| stretch (security), stretch (lts), stretch | 1:3.2.11-2+deb9u2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| mongodb | source | (unstable) | 1:3.2.11-1 | | | |
Notes
[jessie] - mongodb <no-dsa> (Minor issue)
[wheezy] - mongodb <no-dsa> (Minor issue)
https://jira.mongodb.org/browse/SERVER-24378
Marking as fixed with the first 3.x based version in unstable
This issue though affect only 2.4 (and possibly older), or 2.6
installations, but only in circumstances where they first had a
MongoDB 2.4 installation with authentication enabled, upgraded
to 2.6, and did not complete a full upgrade