A vulnerability found in MongoDB could allow an unauthenticated, remote attacker to conduct SQL injection attacks on the targeted system.
The SQL injection vulnerability exists due to insufficient sanitization of user-supplied input to the PHP MongoDB driver. An attacker could exploit this vulnerability by sending crafted SQL statements that are designed to submit malicious input via objects as GET
parameters to the vulnerable .php
script. If successful, an attacker could view, modify, or delete information from the underlying database.
Proof-of-concept code that exploit this vulnerability is publicly not available.
Administrators are advised to contact the vendor regarding future updates and releases.
Users should verify that unsolicited links are safe to follow.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
For additional information about SQL injection attacks and defenses, see Understanding SQL Injection
MongoDB has not confirmed the vulnerability and has not released updated software.