1. Ubuntu Security Notices
  2. USN-8064-1

USN-8064-1: MongoDB vulnerabilities

Publication date

25 February 2026

Overview

Several security issues were fixed in MongoDB.

Releases

Packages

  • mongodb - object/document-oriented database

Details

Eliot Horowitz discovered that MongoDB may fail to validate some instances
of malformed BSON. A remote attacker could possibly use this issue to cause
MongoDB to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS. (CVE-2015-1609)

It was discovered that MongoDB read raw permissions from .dbshell history
files. A local attacker could possibly use this issue to obtain sensitive
information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04
LTS. (CVE-2016-6494)

Travis Brown discovered that MongoDB may be unable to parse specially
crafted UTF-8 strings in BSON requests. A remote attacker could possibly
use this issue to cause MongoDB to crash, resulting in a denial of service.
This issue only affected Ubuntu 18.04 LTS. (CVE-2018-20802)

Eliot Horowitz discovered that MongoDB may fail to validate some instances
of malformed BSON. A remote attacker could possibly use this issue to cause
MongoDB to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS. (CVE-2015-1609)

It was discovered that MongoDB read raw permissions from .dbshell history
files. A local attacker could possibly use this issue to obtain sensitive
information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04
LTS. (CVE-2016-6494)

Travis Brown discovered that MongoDB may be unable to parse specially
crafted UTF-8 strings in BSON requests. A remote attacker could possibly
use this issue to cause MongoDB to crash, resulting in a denial of service.
This issue only affected Ubuntu 18.04 LTS. (CVE-2018-20802)

Update instructions

After a standard system update you need to restart MongoDB to make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
18.04 LTS bionic mongodb –  1:3.6.3-0ubuntu1.4+esm1  
mongodb-server –  1:3.6.3-0ubuntu1.4+esm1  
16.04 LTS xenial mongodb –  1:2.6.10-0ubuntu1+esm2  
mongodb-server –  1:2.6.10-0ubuntu1+esm2  
14.04 LTS trusty mongodb –  1:2.4.9-1ubuntu2+esm2  
mongodb-server –  1:2.4.9-1ubuntu2+esm2  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›