{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu16.04els/vex/2018/cve-2018-20802-els_os-ubuntu16_04els.json" } ], "tracking": { "current_release_date": "2026-03-02T11:35:19Z", "generator": { "date": "2026-03-02T11:35:19Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2018-20802-ELS_OS-UBUNTU16.04ELS", "initial_release_date": "2018-01-01T00:00:00Z", "revision_history": [ { "date": "2018-01-01T00:00:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-03-02T11:35:19Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Security update on CVE-2018-20802" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 16.04", "product": { "name": "Ubuntu 16.04", "product_id": "Ubuntu-16", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" }, { "branches": [ { "category": "product_version", "name": "mongodb-clients-1:2.6.10-0ubuntu1.amd64", "product": { "name": "mongodb-clients-1:2.6.10-0ubuntu1.amd64", "product_id": "mongodb-clients-1:2.6.10-0ubuntu1.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/mongodb-clients@2.6.10-0ubuntu1?arch=amd64" } } }, { "category": "product_version", "name": "mongodb-server-1:2.6.10-0ubuntu1.amd64", "product": { "name": "mongodb-server-1:2.6.10-0ubuntu1.amd64", "product_id": "mongodb-server-1:2.6.10-0ubuntu1.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/mongodb-server@2.6.10-0ubuntu1?arch=amd64" } } }, { "category": "product_version", "name": "mongodb-1:2.6.10-0ubuntu1.amd64", "product": { "name": "mongodb-1:2.6.10-0ubuntu1.amd64", "product_id": "mongodb-1:2.6.10-0ubuntu1.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/mongodb@2.6.10-0ubuntu1?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "product": { "name": "mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "product_id": "mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/mongodb-clients@2.6.10-0ubuntu1%2Btuxcare.els2?arch=amd64" } } }, { "category": "product_version", "name": "mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els1.amd64", "product": { "name": "mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els1.amd64", "product_id": "mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/mongodb-clients@2.6.10-0ubuntu1%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "mongodb-server-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "product": { "name": "mongodb-server-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "product_id": "mongodb-server-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/mongodb-server@2.6.10-0ubuntu1%2Btuxcare.els2?arch=amd64" } } }, { "category": "product_version", "name": "mongodb-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "product": { "name": "mongodb-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "product_id": "mongodb-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/mongodb@2.6.10-0ubuntu1%2Btuxcare.els2?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els2.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els2.amd64" }, "product_reference": "mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb-clients-1:2.6.10-0ubuntu1.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:mongodb-clients-1:2.6.10-0ubuntu1.amd64" }, "product_reference": "mongodb-clients-1:2.6.10-0ubuntu1.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els1.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els1.amd64" }, "product_reference": "mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els1.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb-server-1:2.6.10-0ubuntu1+tuxcare.els2.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:mongodb-server-1:2.6.10-0ubuntu1+tuxcare.els2.amd64" }, "product_reference": "mongodb-server-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb-server-1:2.6.10-0ubuntu1.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:mongodb-server-1:2.6.10-0ubuntu1.amd64" }, "product_reference": "mongodb-server-1:2.6.10-0ubuntu1.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb-1:2.6.10-0ubuntu1+tuxcare.els2.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:mongodb-1:2.6.10-0ubuntu1+tuxcare.els2.amd64" }, "product_reference": "mongodb-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "mongodb-1:2.6.10-0ubuntu1.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:mongodb-1:2.6.10-0ubuntu1.amd64" }, "product_reference": "mongodb-1:2.6.10-0ubuntu1.amd64", "relates_to_product_reference": "Ubuntu-16" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-20802", "cwe": { "id": "CWE-394", "name": "Unexpected Status Code or Return Value" }, "notes": [ { "category": "description", "text": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Ubuntu-16:mongodb-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "Ubuntu-16:mongodb-1:2.6.10-0ubuntu1.amd64", "Ubuntu-16:mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els1.amd64", "Ubuntu-16:mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "Ubuntu-16:mongodb-clients-1:2.6.10-0ubuntu1.amd64", "Ubuntu-16:mongodb-server-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "Ubuntu-16:mongodb-server-1:2.6.10-0ubuntu1.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2018-20802" }, { "category": "external", "summary": "https://jira.mongodb.org/browse/SERVER-36993", "url": "https://jira.mongodb.org/browse/SERVER-36993" } ], "release_date": "2020-11-23T16:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "This is a post-authentication, denial‑of‑service bug: an attacker must already have valid MongoDB credentials with query privileges and direct network access to the database, and the only impact is a mongod crash (no confidentiality or integrity exposure). It affects only legacy builds (3.6.x before 3.6.9 and 4.0.x before 4.0.3); systems on those or newer patch levels are not impacted. Given the authenticated access requirement and availability‑only effect on outdated versions, it can be safely deprioritized relative to issues enabling data access or privilege escalation.", "product_ids": [ "Ubuntu-16:mongodb-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "Ubuntu-16:mongodb-1:2.6.10-0ubuntu1.amd64", "Ubuntu-16:mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els1.amd64", "Ubuntu-16:mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "Ubuntu-16:mongodb-clients-1:2.6.10-0ubuntu1.amd64", "Ubuntu-16:mongodb-server-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "Ubuntu-16:mongodb-server-1:2.6.10-0ubuntu1.amd64" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Ubuntu-16:mongodb-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "Ubuntu-16:mongodb-1:2.6.10-0ubuntu1.amd64", "Ubuntu-16:mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els1.amd64", "Ubuntu-16:mongodb-clients-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "Ubuntu-16:mongodb-clients-1:2.6.10-0ubuntu1.amd64", "Ubuntu-16:mongodb-server-1:2.6.10-0ubuntu1+tuxcare.els2.amd64", "Ubuntu-16:mongodb-server-1:2.6.10-0ubuntu1.amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }